GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-21 16:27:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.PC4Z 465,76GB Running: w4mm11pe.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\afrcaaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74d1b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74d1b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74d98ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74cf48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74d987a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74d98978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74d98698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74d98a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74d0fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74d168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74d98f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74d98ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74d9865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74d0fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74d1b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74d98e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3512] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74d985f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74d1b21b C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74d1b346 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74d98ea9 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74cf48ad C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74d987a2 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74d98978 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74d98698 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74d98a62 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74d0fca8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74d168ef C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74d98f61 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74d98ac2 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74d9865c C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74d0fd41 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74d1b2dc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74d98e24 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greenshot\Greenshot.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74d985f1 C:\windows\syswow64\KERNEL32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000076f7000c 1 byte [C3] .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000076fff8ea 5 bytes JMP 0000000176fad5c1 .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74d1b21b C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74d1b346 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74d98ea9 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74cf48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74d987a2 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74d98978 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74d98698 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74d98a62 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74d0fca8 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74d168ef C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74d98f61 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74d98ac2 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74d9865c C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74d0fd41 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74d1b2dc C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74d98e24 C:\windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4292] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74d985f1 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74d1b21b C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74d1b346 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74d98ea9 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74cf48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74d987a2 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74d98978 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74d98698 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74d98a62 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74d0fca8 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74d168ef C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74d98f61 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74d98ac2 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74d9865c C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74d0fd41 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74d1b2dc C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74d98e24 C:\windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe[4408] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74d985f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74d1b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74d1b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74d98ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74cf48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74d987a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74d98978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74d98698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74d98a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74d0fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74d168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74d98f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74d98ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74d9865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74d0fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74d1b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74d98e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7500] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74d985f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74d1b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74d1b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74d98ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74cf48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74d987a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74d98978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74d98698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74d98a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74d0fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74d168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74d98f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74d98ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74d9865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74d0fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74d1b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74d98e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[7844] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74d985f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075471401 2 bytes JMP 74d1b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075471419 2 bytes JMP 74d1b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075471431 2 bytes JMP 74d98ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007547144a 2 bytes CALL 74cf48ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754714dd 2 bytes JMP 74d987a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754714f5 2 bytes JMP 74d98978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007547150d 2 bytes JMP 74d98698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075471525 2 bytes JMP 74d98a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007547153d 2 bytes JMP 74d0fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075471555 2 bytes JMP 74d168ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007547156d 2 bytes JMP 74d98f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075471585 2 bytes JMP 74d98ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007547159d 2 bytes JMP 74d9865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754715b5 2 bytes JMP 74d0fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754715cd 2 bytes JMP 74d1b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754716b2 2 bytes JMP 74d98e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8188] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754716bd 2 bytes JMP 74d985f1 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\SearchProtocolHost.exe[6160] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076dd1440 5 bytes JMP 0000000076e8227a ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetModuleHandleA] [6f547473756a6441] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetProcAddress] [69766972506e656b] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!Sleep] [736567656c] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!VirtualAllocEx] [1] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!LoadLibraryA] [56656c6946746547] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!CreateFileW] [57657a69536f66] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetStringTypeW] [100000065] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!LCMapStringW] [6365447470797243] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetProcessHeap] [74707972] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetLastError] [53656c6946746547] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetFullPathNameA] [3431323900657a69] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetCommandLineA] [0] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetStartupInfoW] [6572617774666f53] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!UnhandledExceptionFilter] [736f7263694d5c5c] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!SetUnhandledExceptionFilter] [6e69575c5c74666f] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!IsDebuggerPresent] [75435c5c73776f64] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!RtlVirtualUnwind] [726556746e657272] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!RtlLookupFunctionEntry] [75525c5c6e6f6973] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!RtlCaptureContext] [646e65730000006e] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!TerminateProcess] [6464615f74656e69] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetCurrentProcess] [72] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetDriveTypeW] [65736f6c43676552] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!HeapFree] [6b636f730079654b] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!SetHandleCount] [7465] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetStdHandle] [766974614e746547] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!InitializeCriticalSectionAndSpinCount] [496d657473795365] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetFileType] [6f666e] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!SetFilePointer] [6c] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!RtlUnwindEx] [646e6957646e6946] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!MultiByteToWideChar] [7265746e696f] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!ReadFile] [41727453727453] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetModuleHandleW] [746547726578696d] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!WriteFile] [746e6f43656e694c] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetModuleFileNameW] [41736c6f72] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetModuleFileNameA] [6156746553676552] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!FreeEnvironmentStringsW] [57784565756c] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!WideCharToMultiByte] [7e6f6d556f64637d] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetEnvironmentStringsW] [636c557263647f55] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!FlsGetValue] [6f676b64556f66] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!FlsSetValue] [6c6f467465474853] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!FlsFree] [5768746150726564] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!SetLastError] [0] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetCurrentThreadId] [6854657461657243] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!FlsAlloc] [64616572] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!HeapSetInformation] [6e61656c43415357] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetVersion] [7075] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!HeapCreate] [6f646e6957746547] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!QueryPerformanceCounter] [41676e6f4c77] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetTickCount] [6574754d6e65704f] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetCurrentProcessId] [5778] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetSystemTimeAsFileTime] [636f7365736f6c63] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetCurrentDirectoryW] [65656c530074656b] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!SetStdHandle] [7365447470797243] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetConsoleCP] [68736148796f7274] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetConsoleMode] [0] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!CloseHandle] [2466666e6f636879] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!CreateFileA] [766365720066666e] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!FlushFileBuffers] [0] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetCPInfo] [620061006e0045] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetACP] [2000730065006c] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!GetOEMCP] [20006500680074] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!IsValidCodePage] [65007400650064] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!LoadLibraryW] [6f006900740063] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!WriteConsoleW] [6c006e0077006f] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[KERNEL32.dll!SetEndOfFile] [2000640061006f] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[SETUPAPI.dll!SetupGetSourceInfoA] [740073006e0069] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[SETUPAPI.dll!SetupInstallFileA] [61006c006c0061] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[SETUPAPI.dll!SetupSetDirectoryIdW] [6e006f00690074] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[SETUPAPI.dll!SetupDiUnremoveDevice] [200066006f0020] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[SETUPAPI.dll!SetupQuerySourceListA] [61006400700075] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[SETUPAPI.dll!SetupQueueDefaultCopyA] [20007300650074] IAT C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[4336] @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe[SETUPAPI.dll!SetupCopyErrorA] [200072006f0066] ---- Threads - GMER 2.1 ---- Thread C:\windows\System32\svchost.exe [2236:2680] 000007fef3539688 Thread C:\Windows\SysWOW64\regsvr32.exe [4292:5088] 0000000069d49ee9 Thread C:\Program Files\Internet Explorer\iexplore.exe [4788:7416] 0000000004f22160 Thread C:\Program Files\Internet Explorer\iexplore.exe [4788:7420] 0000000004f22190 Thread C:\Program Files\Internet Explorer\iexplore.exe [1936:7444] 0000000004152160 Thread C:\Program Files\Internet Explorer\iexplore.exe [1936:7448] 0000000004152190 Thread C:\Program Files\Internet Explorer\iexplore.exe [7452:8148] 0000000005362160 Thread C:\Program Files\Internet Explorer\iexplore.exe [7452:8152] 0000000005362190 Thread C:\Program Files\Internet Explorer\iexplore.exe [7616:1336] 0000000005442160 Thread C:\Program Files\Internet Explorer\iexplore.exe [7616:2624] 0000000005442190 Thread C:\Program Files\Internet Explorer\iexplore.exe [8120:2224] 0000000004e92160 Thread C:\Program Files\Internet Explorer\iexplore.exe [8120:3300] 0000000004e92190 ---- Processes - GMER 2.1 ---- Process C:\Users\Kuba\AppData\Roaming\Microsoft\Windows\IEUpdate\wecutil.exe (*** suspicious ***) @ C:\Users\Kuba\AppData\Roaming\Microsoft\Windows\IEUpdate\wecutil.exe [2880](2014-04-09 15:00:47) 000000013fb60000 Library C:\Users\Kuba\AppData\Local\Ocpics\DataCD.dll (*** suspicious ***) @ C:\Windows\SysWOW64\regsvr32.exe [4292](2015-02-21 10:29:22) 0000000010000000 Process C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe (*** suspicious ***) @ C:\Users\Kuba\AppData\Roaming\FrameworkUpdate\GoogleUpdate.exe [4336](2015-02-21 10:20:48) 0000000140000000 Process C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe (*** suspicious ***) @ C:\Users\Kuba\AppData\Local\Ocpics\tmpF3F4.exe [4408] (Keeper Keys/The Eraser Project )(2015-02-17 14:32:05) 0000000000400000 Process C:\Users\Kuba\AppData\Roaming\Microsoft\Windows\IEUpdate\wecutil.exe (*** suspicious ***) @ C:\Users\Kuba\AppData\Roaming\Microsoft\Windows\IEUpdate\wecutil.exe [6124](2014-04-09 15:00:47) 000000013fb60000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af4d8fb Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af4d8fb (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Kuba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\02DU1ZJX\k3k702ZOKiLJc3WVjuplzBa1RVmPjeKy21_GQJaLlJIMBOYZXW6.woff 0 bytes File C:\Users\Kuba\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\02DU1ZJX\MTP_ySUJH_bn48VBG8sNSha1RVmPjeKy21_GQJaLlJINKLFQGP7.woff 0 bytes ---- EOF - GMER 2.1 ----