GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-24 14:58:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev. 931,51GB Running: bi9qt5id.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\wininit.exe[924] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\windows\system32\services.exe[984] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\windows\system32\winlogon.exe[844] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text c:\Program Files\Microsoft Security Client\MsMpEng.exe[940] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\windows\system32\atiesrxx.exe[1128] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\windows\System32\svchost.exe[1212] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\windows\system32\svchost.exe[1276] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\windows\system32\svchost.exe[1464] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1496] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1644] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1868] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\windows\Explorer.EXE[2240] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2540] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075811401 2 bytes JMP 749fb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075811419 2 bytes JMP 749fb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075811431 2 bytes JMP 74a78ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007581144a 2 bytes CALL 749d48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758114dd 2 bytes JMP 74a787a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758114f5 2 bytes JMP 74a78978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007581150d 2 bytes JMP 74a78698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075811525 2 bytes JMP 74a78a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007581153d 2 bytes JMP 749efca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075811555 2 bytes JMP 749f68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007581156d 2 bytes JMP 74a78f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075811585 2 bytes JMP 74a78ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007581159d 2 bytes JMP 74a7865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758115b5 2 bytes JMP 749efd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758115cd 2 bytes JMP 749fb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758116b2 2 bytes JMP 74a78e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758116bd 2 bytes JMP 74a785f1 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2944] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[2080] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe[2064] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe[2828] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe[2616] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\ismagent.exe[2820] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe[1096] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe[1072] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075729ebd 5 bytes JMP 000000016b3d99ff .text C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe[1072] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075730afa 5 bytes JMP 000000016b3de26c .text C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe[1072] C:\windows\syswow64\USER32.dll!BeginPaint 0000000075731361 5 bytes JMP 000000016b3ec8b4 .text C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe[1072] C:\windows\syswow64\USER32.dll!ValidateRect 0000000075737849 5 bytes JMP 000000016b561f12 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2960] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe[2604] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075811401 2 bytes JMP 749fb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075811419 2 bytes JMP 749fb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075811431 2 bytes JMP 74a78ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007581144a 2 bytes CALL 749d48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000758114dd 2 bytes JMP 74a787a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000758114f5 2 bytes JMP 74a78978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007581150d 2 bytes JMP 74a78698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075811525 2 bytes JMP 74a78a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007581153d 2 bytes JMP 749efca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075811555 2 bytes JMP 749f68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007581156d 2 bytes JMP 74a78f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075811585 2 bytes JMP 74a78ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007581159d 2 bytes JMP 74a7865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000758115b5 2 bytes JMP 749efd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000758115cd 2 bytes JMP 749fb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000758116b2 2 bytes JMP 74a78e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3240] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000758116bd 2 bytes JMP 74a785f1 C:\windows\syswow64\kernel32.dll .text C:\Windows\System32\StikyNot.exe[3512] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bfef8d 1 byte [62] .text C:\Users\User\AppData\Roaming\PLAY ONLINE\ouc.exe[3628] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Daemon Tools Pro\DTShellHlp.exe[3704] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075811401 2 bytes JMP 749fb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075811419 2 bytes JMP 749fb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075811431 2 bytes JMP 74a78ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007581144a 2 bytes CALL 749d48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758114dd 2 bytes JMP 74a787a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758114f5 2 bytes JMP 74a78978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007581150d 2 bytes JMP 74a78698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075811525 2 bytes JMP 74a78a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007581153d 2 bytes JMP 749efca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075811555 2 bytes JMP 749f68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007581156d 2 bytes JMP 74a78f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075811585 2 bytes JMP 74a78ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007581159d 2 bytes JMP 74a7865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758115b5 2 bytes JMP 749efd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758115cd 2 bytes JMP 749fb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758116b2 2 bytes JMP 74a78e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758116bd 2 bytes JMP 74a785f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000749d8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075811401 2 bytes JMP 749fb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075811419 2 bytes JMP 749fb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075811431 2 bytes JMP 74a78ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007581144a 2 bytes CALL 749d48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758114dd 2 bytes JMP 74a787a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758114f5 2 bytes JMP 74a78978 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007581150d 2 bytes JMP 74a78698 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075811525 2 bytes JMP 74a78a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007581153d 2 bytes JMP 749efca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075811555 2 bytes JMP 749f68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007581156d 2 bytes JMP 74a78f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075811585 2 bytes JMP 74a78ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007581159d 2 bytes JMP 74a7865c C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758115b5 2 bytes JMP 749efd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758115cd 2 bytes JMP 749fb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758116b2 2 bytes JMP 74a78e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3772] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758116bd 2 bytes JMP 74a785f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[3976] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[4712] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2220] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] .text C:\Users\User\Downloads\bi9qt5id.exe[7128] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000749fa2fd 1 byte [62] ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [2540](2010-11-16 13:38:16) 000000013f800000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [2944] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-11-16 13:37:30) 0000000000400000 Process C:\Users\User\AppData\Roaming\PLAY ONLINE\ouc.exe (*** suspicious ***) @ C:\Users\User\AppData\Roaming\PLAY ONLINE\ouc.exe [3628] (Online Update Clinet/Huawei Technologies Co., Ltd.)(2013-09-30 09:54:02) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----