GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-18 07:57:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.D005 465,76GB Running: x8k1mu41.exe; Driver: C:\Users\Marta\AppData\Local\Temp\kwddikog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff80003a0a000 45 bytes [00, 00, 10, 02, 4D, 6D, 43, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff80003a0a02f 16 bytes [00, 18, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2660] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2660] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2660] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2660] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2660] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2660] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2660] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe[3196] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe[3428] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!CreateEventA + 8 0000000077053254 7 bytes JMP 0000000100ee0df0 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!lstrcmpW + 30 000000007705590f 7 bytes JMP 0000000100eb1000 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!LoadResource + 8 000000007705591c 7 bytes JMP 0000000100ed9e00 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!LockResource + 19 0000000077055934 7 bytes JMP 0000000100ed2180 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!GetLocalTime + 30 0000000077055a8c 7 bytes JMP 0000000100eda1f0 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!GetQueuedCompletionStatus + 19 000000007706d3a6 7 bytes JMP 0000000100efd050 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe[3508] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3820] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3840] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[3880] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3908] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3940] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3940] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[4056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756f1465 2 bytes [6F, 75] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[4056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756f14bb 2 bytes [6F, 75] .text ... * 2 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756f1465 2 bytes [6F, 75] .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3816] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756f14bb 2 bytes [6F, 75] .text ... * 2 .text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[1856] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[1856] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[1696] C:\windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[1696] C:\windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[1696] C:\windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[1696] C:\windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[1696] C:\windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[1696] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[1696] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5352] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\kernel32.dll!RegSetValueExA 0000000077061409 7 bytes JMP 0000000174b2128f .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007707b21b 5 bytes JMP 0000000174b2159b .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000770f8e24 7 bytes JMP 0000000174b21339 .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000770f8ea9 5 bytes JMP 0000000174b216b8 .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000770f91ff 5 bytes JMP 0000000174b2101e .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ee1d29 5 bytes JMP 0000000174b211d1 .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ee1dd7 5 bytes JMP 0000000174b21019 .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ee2ab1 5 bytes JMP 0000000174b2154b .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ee2d17 5 bytes JMP 0000000174b21276 .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007682e96b 5 bytes JMP 0000000174b215b4 .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007682eba5 5 bytes JMP 0000000174b2119a .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076a55ea5 5 bytes JMP 0000000174b215e6 .text C:\Users\Marta\Desktop\x8k1mu41.exe[1224] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076a89d0b 5 bytes JMP 0000000174b2122b ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800124fe94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800124fc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001250614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001250a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800125086c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80043142c0 Device \FileSystem\fastfat \Fat fffffa800af6d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{221E7ECC-3860-48B0-B7EE-9517073148AF} fffffa80067f22c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006e212c0 Device \Driver\cdrom \Device\CdRom0 fffffa800675c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B8DB9482-9319-4562-BEBA-F85B2A281F57} fffffa80067f22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{CF7D309F-6554-4669-A98C-35F9354357FB} fffffa80067f22c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006e212c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006e212c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D1A96835-7C74-46B1-891B-F7F07EFDF112} fffffa80067f22c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80067f22c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006e212c0 ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\taskhost.exe [1944:2124] 000007fefb0a1010 Thread C:\windows\system32\taskhost.exe [1944:5168] 000007fef74c5170 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe (*** suspicious ***) @ C:\ProgramData\{e48d5d66-7070-2db1-e48d-d5d667077599}\Glee.S06E01.HDTV.x264-KILLERS.mp4(1).exe [3508](2015-01-10 16:34:32) 0000000000eb0000 ---- EOF - GMER 2.1 ----