GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-14 22:19:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AADS-00S9B0 rev.01.00A01 465,76GB Running: ehm1o81f.exe; Driver: C:\Users\JOHNYB~1\AppData\Local\Temp\fwrdifog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee6f30 5 bytes JMP 0000000136ef01b8 .text C:\Windows\system32\taskhost.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076f0e680 8 bytes JMP 0000000136ef0158 .text C:\Windows\system32\Dwm.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee6f30 5 bytes JMP 0000000136ef01b8 .text C:\Windows\system32\Dwm.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076f0e680 8 bytes JMP 0000000136ef0158 .text C:\Windows\Explorer.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076f0e680 8 bytes JMP 0000000136ef0158 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee6f30 5 bytes JMP 0000000136ef01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076f0e680 8 bytes JMP 0000000136ef0158 .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[2596] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770c0968 5 bytes JMP 0000000102ddf180 .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[2596] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770daf7d 5 bytes JMP 0000000102ddefb0 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2896] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770c0968 5 bytes JMP 00000001003df180 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2896] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770daf7d 5 bytes JMP 00000001003defb0 .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 74ec8f29 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 74ec8822 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 74ec89f8 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 74ec8718 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 74ec8ae2 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 74ec8fe3 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 74ec8b42 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 74ec86dc C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 74ec8ea4 C:\Windows\syswow64\kernel32.dll .text D:\Program Files (x86)\AVG\AVG2015\avgui.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 74ec8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 74ec8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 74ec8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 74ec89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 74ec8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 74ec8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 74ec8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 74ec8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 74ec86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 74ec8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2352] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 74ec8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ctfmon.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770c0968 5 bytes JMP 000000010097f180 .text C:\Windows\SysWOW64\ctfmon.exe[3380] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770daf7d 5 bytes JMP 000000010097efb0 .text D:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000176eb0128 .text D:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000176eb0018 .text D:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3544] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 0000000076eb00a0 .text D:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000176eb0128 .text D:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000176eb0018 .text D:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3552] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 0000000076eb00a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000077070128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000077070018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3820] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 00000000770700a0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000077070128 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000077070018 .text C:\Windows\system32\svchost.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000176eb0128 .text C:\Windows\system32\svchost.exe[4400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000176eb0018 .text C:\Windows\system32\svchost.exe[4400] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 0000000076eb00a0 .text C:\Windows\system32\svchost.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000176eb0128 .text C:\Windows\system32\svchost.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000176eb0018 .text C:\Windows\system32\svchost.exe[4764] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 0000000076eb00a0 .text C:\Windows\System32\svchost.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000176eb0128 .text C:\Windows\System32\svchost.exe[4960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000176eb0018 .text C:\Windows\System32\svchost.exe[4960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 0000000076eb00a0 .text C:\Windows\system32\DllHost.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000077070128 .text C:\Windows\system32\DllHost.exe[5908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000077070018 .text C:\Windows\system32\DllHost.exe[5908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 00000000770700a0 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770bfc9c 5 bytes JMP 000000016eec1460 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770bfe60 5 bytes JMP 000000016eec1120 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770c0968 5 bytes JMP 00000001001af180 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770daf7d 5 bytes JMP 00000001001aefb0 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e33bab 5 bytes JMP 000000016eec1260 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000074cb6143 5 bytes JMP 000000016df044c3 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075dd3e59 5 bytes JMP 000000016dca5685 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075dd3eae 5 bytes JMP 000000016dca7fde .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075dd4731 5 bytes JMP 000000016dca80e0 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075dd5dee 5 bytes JMP 000000016dcbb87d .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075033918 5 bytes JMP 00000001001bc870 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075034406 5 bytes JMP 00000001001bc790 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\WS2_32.dll!connect 0000000075036bdd 5 bytes JMP 00000001001bc740 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\WS2_32.dll!send 0000000075036f01 5 bytes JMP 00000001001bc810 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 74e4b21b C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 74e4b346 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 74ec8f29 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 74e2489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 74ec8822 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 74ec89f8 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 74ec8718 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 74ec8ae2 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 74e3fca8 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 74e468ef C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 74ec8fe3 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 74ec8b42 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 74ec86dc C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 74e3fd41 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 74e4b2dc C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 74ec8ea4 C:\Windows\syswow64\kernel32.dll .text D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE[5952] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 74ec8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\splwow64.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee6f30 5 bytes JMP 0000000136ef01b8 .text C:\Windows\splwow64.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f0de30 5 bytes JMP 0000000077070128 .text C:\Windows\splwow64.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df50 5 bytes JMP 0000000077070018 .text C:\Windows\splwow64.exe[5652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076f0e680 8 bytes JMP 0000000136ef0158 .text C:\Windows\splwow64.exe[5652] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cbdbc0 5 bytes JMP 00000000770700a0 .text C:\Users\johny b good\Downloads\ehm1o81f.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770bfc9c 5 bytes JMP 000000016eec1460 .text C:\Users\johny b good\Downloads\ehm1o81f.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770bfe60 5 bytes JMP 000000016eec1120 .text C:\Users\johny b good\Downloads\ehm1o81f.exe[6744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074e33bab 5 bytes JMP 000000016eec1260 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88000ee4e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88000ee4c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88000ee5614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88000ee5a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88000ee586c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP4T1L0-b fffffa80069e62c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80069e62c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80069e62c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80069e62c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80069e62c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80069e62c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80069e62c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80069e62c0 Device \Driver\a1la6lu5 \Device\Scsi\a1la6lu51 fffffa800826d2c0 Device \Driver\a1la6lu5 \Device\Scsi\a1la6lu51Port6Path0Target0Lun0 fffffa800826d2c0 Device \FileSystem\Ntfs \Ntfs fffffa80069ea2c0 Device \Driver\USBSTOR \Device\0000008e fffffa800937d2c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa80080ff2c0 Device \Driver\USBSTOR \Device\0000008a fffffa800937d2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80080f52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{594DE92E-9A01-4C6B-AA9F-7A6A22890D43} fffffa8007cd42c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80080f52c0 Device \Driver\USBSTOR \Device\0000009a fffffa800937d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007d0a2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8007d0a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B75EA858-3982-41CE-8736-DF66950D942F} fffffa8007cd42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0733FF6B-C907-41D0-A3C4-CAA2A4072948} fffffa8007cd42c0 Device \Driver\USBSTOR \Device\0000008b fffffa800937d2c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa80080f52c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80080ff2c0 Device \Driver\USBSTOR \Device\0000009b fffffa800937d2c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80080ff2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80080ff2c0 Device \Driver\USBSTOR \Device\0000008c fffffa800937d2c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa80080ff2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80080f52c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80080f52c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007cd42c0 Device \Driver\USBSTOR \Device\0000008d fffffa800937d2c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa80080f52c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80080ff2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80069e62c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa80080ff2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80080ff2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80069e62c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80069e62c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80069e62c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80069e62c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80069e62c0 Device \Driver\a1la6lu5 \Device\ScsiPort6 fffffa800826d2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80069e62c0]<< sptd.sys ataport.SYS pciide.sys fffffa80069e62c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007a80060] fffffa8007a80060 Trace 3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> [0xfffffa80079dd9b0] fffffa80079dd9b0 Trace 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007a63060] fffffa8007a63060 Trace \Driver\atapi[0xfffffa80069f8e70] -> IRP_MJ_CREATE -> 0xfffffa80069e62c0 fffffa80069e62c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a1la6lu5.SYS fffff880143a4000-fffff880143f5000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\taskhost.exe [2044:5708] 0000000072eded70 Thread C:\Windows\system32\taskhost.exe [2044:5712] 0000000072ee2c10 Thread C:\Windows\system32\Dwm.exe [1300:5372] 0000000072eded70 Thread C:\Windows\system32\Dwm.exe [1300:5376] 0000000072ee2c10 Thread C:\Windows\Explorer.EXE [1788:3052] 0000000072ec9460 Thread C:\Windows\Explorer.EXE [1788:5276] 0000000005461d70 Thread C:\Windows\Explorer.EXE [1788:5280] 0000000005465c10 Thread C:\Windows\Explorer.EXE [1788:5284] 0000000005470990 Thread C:\Windows\Explorer.EXE [1788:5288] 00000000054649d0 Thread C:\Windows\Explorer.EXE [1788:5300] 0000000072ec9de0 Thread C:\Windows\SysWOW64\ctfmon.exe [3380:5296] 000000000097e910 Thread C:\Windows\SysWOW64\ctfmon.exe [3380:5692] 0000000000981120 Thread D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE [5952:5920] 00000000001ae910 Thread D:\PROGRA~1\MICROS~1\OFFICE11\WINWORD.EXE [5952:6020] 00000000001b1120 Thread C:\Windows\splwow64.exe [5652:5660] 0000000072eded70 Thread C:\Windows\splwow64.exe [5652:5672] 0000000072ee2c10 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0x45 0xDF 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAA 0x0A 0x5E 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE7 0xC9 0x43 0x50 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0x45 0xDF 0x0E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAA 0x0A 0x5E 0x5C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE7 0xC9 0x43 0x50 ... ---- EOF - GMER 2.1 ----