GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-22 22:39:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000073 Hitachi_ rev.JE4O 698,64GB Running: gmer.exe; Driver: C:\Users\Paula\AppData\Local\Temp\kwddrkob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754e1401 2 bytes JMP 76d6b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754e1419 2 bytes JMP 76d6b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754e1431 2 bytes JMP 76de8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754e144a 2 bytes CALL 76d448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754e14dd 2 bytes JMP 76de87a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754e14f5 2 bytes JMP 76de8978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754e150d 2 bytes JMP 76de8698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754e1525 2 bytes JMP 76de8a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754e153d 2 bytes JMP 76d5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754e1555 2 bytes JMP 76d668ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754e156d 2 bytes JMP 76de8f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754e1585 2 bytes JMP 76de8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754e159d 2 bytes JMP 76de865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754e15b5 2 bytes JMP 76d5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754e15cd 2 bytes JMP 76d6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754e16b2 2 bytes JMP 76de8e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754e16bd 2 bytes JMP 76de85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754e1401 2 bytes JMP 76d6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754e1419 2 bytes JMP 76d6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754e1431 2 bytes JMP 76de8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754e144a 2 bytes CALL 76d448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754e14dd 2 bytes JMP 76de87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754e14f5 2 bytes JMP 76de8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754e150d 2 bytes JMP 76de8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754e1525 2 bytes JMP 76de8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754e153d 2 bytes JMP 76d5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754e1555 2 bytes JMP 76d668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754e156d 2 bytes JMP 76de8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754e1585 2 bytes JMP 76de8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754e159d 2 bytes JMP 76de865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754e15b5 2 bytes JMP 76d5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754e15cd 2 bytes JMP 76d6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754e16b2 2 bytes JMP 76de8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754e16bd 2 bytes JMP 76de85f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 00000000754e1401 2 bytes JMP 76d6b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 00000000754e1419 2 bytes JMP 76d6b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 00000000754e1431 2 bytes JMP 76de8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 00000000754e144a 2 bytes CALL 76d448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000754e14dd 2 bytes JMP 76de87a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000754e14f5 2 bytes JMP 76de8978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 00000000754e150d 2 bytes JMP 76de8698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 00000000754e1525 2 bytes JMP 76de8a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 00000000754e153d 2 bytes JMP 76d5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 00000000754e1555 2 bytes JMP 76d668ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 00000000754e156d 2 bytes JMP 76de8f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 00000000754e1585 2 bytes JMP 76de8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 00000000754e159d 2 bytes JMP 76de865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000754e15b5 2 bytes JMP 76d5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000754e15cd 2 bytes JMP 76d6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000754e16b2 2 bytes JMP 76de8e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe[4688] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000754e16bd 2 bytes JMP 76de85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754e1401 2 bytes JMP 76d6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754e1419 2 bytes JMP 76d6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754e1431 2 bytes JMP 76de8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754e144a 2 bytes CALL 76d448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754e14dd 2 bytes JMP 76de87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754e14f5 2 bytes JMP 76de8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754e150d 2 bytes JMP 76de8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754e1525 2 bytes JMP 76de8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754e153d 2 bytes JMP 76d5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754e1555 2 bytes JMP 76d668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754e156d 2 bytes JMP 76de8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754e1585 2 bytes JMP 76de8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754e159d 2 bytes JMP 76de865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754e15b5 2 bytes JMP 76d5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754e15cd 2 bytes JMP 76d6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754e16b2 2 bytes JMP 76de8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4820] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754e16bd 2 bytes JMP 76de85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4240] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076d48791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754e1401 2 bytes JMP 76d6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754e1419 2 bytes JMP 76d6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754e1431 2 bytes JMP 76de8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754e144a 2 bytes CALL 76d448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754e14dd 2 bytes JMP 76de87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754e14f5 2 bytes JMP 76de8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754e150d 2 bytes JMP 76de8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754e1525 2 bytes JMP 76de8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754e153d 2 bytes JMP 76d5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754e1555 2 bytes JMP 76d668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754e156d 2 bytes JMP 76de8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754e1585 2 bytes JMP 76de8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754e159d 2 bytes JMP 76de865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754e15b5 2 bytes JMP 76d5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754e15cd 2 bytes JMP 76d6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754e16b2 2 bytes JMP 76de8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[5036] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754e16bd 2 bytes JMP 76de85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754e1401 2 bytes JMP 76d6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754e1419 2 bytes JMP 76d6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754e1431 2 bytes JMP 76de8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754e144a 2 bytes CALL 76d448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754e14dd 2 bytes JMP 76de87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754e14f5 2 bytes JMP 76de8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754e150d 2 bytes JMP 76de8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754e1525 2 bytes JMP 76de8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754e153d 2 bytes JMP 76d5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754e1555 2 bytes JMP 76d668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754e156d 2 bytes JMP 76de8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754e1585 2 bytes JMP 76de8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754e159d 2 bytes JMP 76de865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754e15b5 2 bytes JMP 76d5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754e15cd 2 bytes JMP 76d6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754e16b2 2 bytes JMP 76de8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754e16bd 2 bytes JMP 76de85f1 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library c:\users\paula\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpc_rjix.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688](2015-05-22 19:51:39) 00000000052d0000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:24) 0000000065b40000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (ICU I18N DLL/The ICU Project)(2015-03-04 21:45:30) 000000004a900000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (ICU Common DLL/The ICU Project)(2015-03-04 21:45:30) 0000000005a70000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (ICU Data DLL/The ICU Project)(2015-03-04 21:45:30) 000000004ad00000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 00000000674f0000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065520000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688](2015-03-04 21:45:30) 0000000073730000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065340000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000060730000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065120000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000064340000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000073700000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688](2015-03-04 21:45:30) 0000000073e10000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 000000006e7c0000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006c6d0000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006c320000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688](2015-03-04 21:45:30) 000000006c240000 Library C:\Users\Paula\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Paula\AppData\Roaming\Dropbox\bin\Dropbox.exe [4688](2015-03-04 21:45:30) 000000006c200000 Process C:\Users\Paula\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe (*** suspicious ***) @ C:\Users\Paula\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe [5024](2014-01-28 16:36:04) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----