GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-08 00:06:56 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\0000007b ATA_____ rev.0009 232,89GB Running: jhnmqgsg.exe; Driver: C:\Users\Alek\AppData\Local\Temp\aftcqaog.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwCreateFile [0x907729D8] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwCreateSymbolicLinkObject [0x90772DB6] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwCreateThread [0x907730FE] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwDeleteKey [0x90773472] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwDeleteValueKey [0x90773540] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwDeviceIoControlFile [0x9077368C] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwLoadDriver [0x90775062] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwMapViewOfSection [0x90775480] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenFile [0x90775798] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenKey [0x90775962] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenProcess [0x90775974] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenThread [0x9077603E] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwProtectVirtualMemory [0x907760D2] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwQueueApcThread [0x907760E4] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSecureConnectPort [0x907763E6] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSetContextThread [0x90776452] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSetSystemInformation [0x9077678A] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSetValueKey [0x907767F4] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwTerminateProcess [0x90776BC6] SSDT \??\C:\Windows\system32\drivers\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwWriteVirtualMemory [0x90778CBA] Code \??\C:\Windows\system32\drivers\mbamchameleon.sys (Malwarebytes Chameleon Protection Driver/Malwarebytes Corporation) KeInsertQueueApc ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1499 8307E9F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B8992 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 830BFC94 4 Bytes [D8, 29, 77, 90] {FSUBR DWORD [ECX]; JA 0xffffff94} .text ntkrnlpa.exe!KeRemoveQueueEx + 11FF 830BFCE4 8 Bytes [B6, 2D, 77, 90, FE, 30, 77, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1243 830BFD28 4 Bytes [72, 34, 77, 90] {JB 0x36; JA 0xffffff94} .text ntkrnlpa.exe!KeRemoveQueueEx + 124F 830BFD34 8 Bytes [40, 35, 77, 90, 8C, 36, 77, ...] {INC EAX; XOR EAX, 0x368c9077; JA 0xffffff98} .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 830BFDF8 4 Bytes [62, 50, 77, 90] {BOUND EDX, [EAX+0x77]; NOP } .text ... .text ntkrnlpa.exe!KeInsertQueueApc 830F72E7 5 Bytes JMP 8FCF0BEE \??\C:\Windows\system32\drivers\mbamchameleon.sys (Malwarebytes Chameleon Protection Driver/Malwarebytes Corporation) ? C:\Windows\system32\drivers\ACPI.sys Odmowa dostępu. ? C:\Windows\system32\drivers\msisadrv.sys Odmowa dostępu. ? C:\Windows\system32\drivers\vdrvroot.sys Odmowa dostępu. ? C:\Windows\system32\drivers\pci.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\BATTC.SYS Odmowa dostępu. ? C:\Windows\system32\drivers\volmgr.sys Odmowa dostępu. .reloc C:\Windows\SYSTEM32\drivers\diskpt.sys section is executable [0x8B747680, 0x15D88, 0xE0000060] ? C:\Windows\system32\drivers\atapi.sys Odmowa dostępu. ? C:\Windows\system32\drivers\ataport.SYS Odmowa dostępu. ? C:\Windows\system32\drivers\PCIIDEX.SYS Odmowa dostępu. ? C:\Windows\system32\drivers\volsnap.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\disk.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\cdrom.sys Odmowa dostępu. ? C:\Windows\system32\drivers\termdd.sys Odmowa dostępu. ? C:\Windows\system32\drivers\mssmbios.sys Odmowa dostępu. ? C:\Windows\system32\drivers\usbuhci.sys Odmowa dostępu. ? C:\Windows\system32\drivers\USBPORT.SYS Odmowa dostępu. ? C:\Windows\system32\drivers\usbehci.sys Odmowa dostępu. ? C:\Windows\system32\drivers\HDAudBus.sys Odmowa dostępu. ? C:\Windows\system32\drivers\1394ohci.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\i8042prt.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\kbdclass.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\mouclass.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\intelppm.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\CmBatt.sys Odmowa dostępu. ? C:\Windows\system32\drivers\CompositeBus.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\rdpbus.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\umbus.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\usbhub.sys Odmowa dostępu. ? C:\Windows\system32\drivers\portcls.sys Odmowa dostępu. ? C:\Windows\system32\drivers\drmk.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\usbccgp.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\USBD.SYS Odmowa dostępu. ? C:\Windows\System32\Drivers\usbvideo.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\monitor.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\hidusb.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\HIDCLASS.SYS Odmowa dostępu. ? C:\Windows\system32\DRIVERS\HIDPARSE.SYS Odmowa dostępu. ? C:\Windows\system32\DRIVERS\kbdhid.sys Odmowa dostępu. ? C:\Windows\system32\DRIVERS\mouhid.sys Odmowa dostępu. PAGE peauth.sys B5E2B02C 102 Bytes CALL 89D5CA9A ? C:\Users\Alek\AppData\Local\Temp\cpuz137\cpuz137_x32.sys System nie może odnaleźć określonej ścieżki. ! PAGE spsys.sys!?SPRevision@@3PADA + 4F90 B6D8D000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 B6D8D123 629 Bytes [85, D8, B6, FE, 05, 34, 85, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 B6D8D399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F B6D8D3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B B6D8D4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... .text autochk.exe 004611D1 4 Bytes [F8, 0F, 83, 84] .text autochk.exe 004611D8 10 Bytes [8B, 55, F4, 52, 8B, 4D, E8, ...] .text autochk.exe 004611E5 11 Bytes [E8, 96, ED, FA, FF, 89, 45, ...] .text autochk.exe 004611F1 25 Bytes [74, 64, 6A, 5C, 8B, 45, F0, ...] .text autochk.exe 0046120B 42 Bytes [74, 09, 8B, 4D, FC, 83, C1, ...] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AntiLogger\AntiLogger.exe[2340] kernel32.dll!CreateThread + 1C 7653DD8E 4 Bytes CALL 008B6E1D C:\Program Files\AntiLogger\AntiLogger.exe (Zemana AntiLogger User Interface/Zemana Ltd.) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\Monitor.exe[492] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [5983DAC0] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\madExcept_.bpl IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\Monitor.exe[492] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [5983DAC0] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\madExcept_.bpl IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\Monitor.exe[492] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [5983DCC4] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\madExcept_.bpl IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\Monitor.exe[492] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [5983DCC4] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\madExcept_.bpl IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7479249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74775652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74775710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7479251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7478857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74784D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747850D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747851AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [747866DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [747882D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74788824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74789085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7478E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74784C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\AntiLogger\AntiLogger.exe[2340] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [008B6F70] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana AntiLogger User Interface/Zemana Ltd.) IAT C:\Program Files\AntiLogger\AntiLogger.exe[2340] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!QueueUserWorkItem] [008B6F70] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana AntiLogger User Interface/Zemana Ltd.) IAT C:\Program Files\AntiLogger\AntiLogger.exe[2340] @ C:\Windows\system32\WININET.DLL [KERNEL32.dll!QueueUserWorkItem] [008B6F70] C:\Program Files\AntiLogger\AntiLogger.exe (Zemana AntiLogger User Interface/Zemana Ltd.) IAT C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe[2484] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [5983DAC0] C:\Program Files\IObit\IObit Uninstaller\madExcept_.bpl IAT C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe[2484] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [5983DAC0] C:\Program Files\IObit\IObit Uninstaller\madExcept_.bpl IAT C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe[2484] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [5983DCC4] C:\Program Files\IObit\IObit Uninstaller\madExcept_.bpl IAT C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe[2484] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [5983DCC4] C:\Program Files\IObit\IObit Uninstaller\madExcept_.bpl IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe[2548] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [0044CE2C] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe (Advanced SystemCare Ultimate Tray/IObit) IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe[2548] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044D030] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe (Advanced SystemCare Ultimate Tray/IObit) IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe[2548] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0044CE2C] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe (Advanced SystemCare Ultimate Tray/IObit) IAT C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe[2548] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044D030] C:\Program Files\IObit\Advanced SystemCare Ultimate 8\ASCTray.exe (Advanced SystemCare Ultimate Tray/IObit) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [7479249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74775652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [74775710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [7479251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [7478857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74784D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [747850D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [747851AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [747866DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [747882D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74788824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [74789085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7478E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[37040] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74784C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \FileSystem\Ntfs \Ntfs volsnap.sys AttachedDevice \FileSystem\Ntfs \Ntfs pffilter.sys (Protected Folder filter driver/IObit Information Technology) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Control\SQMServiceList@SQMServiceList netprofm,netman Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060d2d04c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060d2d04c@0017e353d4f6 0x35 0xD4 0xD7 0xE7 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060d2d04c@00119fbfec30 0xD9 0x95 0xE4 0x7C ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060ee4b2b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060ee4b2b@00119fbfec30 0xAB 0xAD 0x3B 0x55 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060ee4b2b@0017e353d4f6 0x50 0xC9 0x39 0xA7 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060ee4b2b@a47760c31a3a 0x9B 0x17 0x48 0xD9 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060ee4b2b@a47760c31796 0x2D 0xBA 0xF7 0x37 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001060ee4b2b@f48e091c575c 0xB0 0x44 0x77 0x7A ... Reg HKLM\SYSTEM\ControlSet003\Control\SQMServiceList@SQMServiceList netprofm,netman Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060d2d04c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060d2d04c@0017e353d4f6 0x35 0xD4 0xD7 0xE7 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060d2d04c@00119fbfec30 0xD9 0x95 0xE4 0x7C ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060ee4b2b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060ee4b2b@00119fbfec30 0xAB 0xAD 0x3B 0x55 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060ee4b2b@0017e353d4f6 0x50 0xC9 0x39 0xA7 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060ee4b2b@a47760c31a3a 0x9B 0x17 0x48 0xD9 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060ee4b2b@a47760c31796 0x2D 0xBA 0xF7 0x37 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001060ee4b2b@f48e091c575c 0xB0 0x44 0x77 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\SQMServiceList@SQMServiceList netprofm,netman Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060d2d04c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060d2d04c@0017e353d4f6 0x35 0xD4 0xD7 0xE7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060d2d04c@00119fbfec30 0xD9 0x95 0xE4 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ee4b2b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ee4b2b@00119fbfec30 0xAB 0xAD 0x3B 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ee4b2b@0017e353d4f6 0x50 0xC9 0x39 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ee4b2b@a47760c31a3a 0x9B 0x17 0x48 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ee4b2b@a47760c31796 0x2D 0xBA 0xF7 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001060ee4b2b@f48e091c575c 0xB0 0x44 0x77 0x7A ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout@381b4222-f694-41f0-9685-ff5bb260df2e d5dc4c5d-86af-401f-9043-c5ab37722749 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout@8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@PatchGUID {AC76BA86-7AD7-0000-2550-7A8C40011007} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@MediaCabinet PCW_CAB_RDR11007 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@File pdfshell.dll Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@ComponentVersion 11.0.3.37 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@ProductVersion 11.0.0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@PatchSize 4560 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@PatchAttributes 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@PatchSequence 10013 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@SharedComponent 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DE7F110AFAA90C49809BCC45C22CCB7\68AB67CA7DA75401B744BA0000000010@IsFullFile 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@PatchGUID {AC76BA86-7AD7-0000-2550-7A8C40011007} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@MediaCabinet PCW_CAB_RDR11007 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@File AcroPDF.dll Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@ComponentVersion 11.0.7.79 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@ProductVersion 11.0.0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@PatchSize 45288 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@PatchAttributes 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@PatchSequence 10010 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@SharedComponent 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3441BFA836FB1C34BA6C144E93FBBA96\68AB67CA7DA75401B744BA0000000010@IsFullFile 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@PatchGUID {AC76BA86-7AD7-0000-2550-7A8C40011007} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@MediaCabinet PCW_CAB_RDR11007 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@File armsvc.exe Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@ComponentVersion 1.701.3.3014 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@ProductVersion 11.0.0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@PatchSize 5797 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@PatchAttributes 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@PatchSequence 10003 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@SharedComponent 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3684BFA619C939645B066762586740C5\68AB67CA7DA75401B744BA0000000010@IsFullFile 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@PatchGUID {AC76BA86-7AD7-0000-2550-7A8C40011007} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@MediaCabinet PCW_CAB_RDR11007 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@File adobearmhelper.exe Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@ComponentVersion 1.701.3.3014 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@ProductVersion 11.0.0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@PatchSize 51193 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@PatchAttributes 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@PatchSequence 10001 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@SharedComponent 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6639F7A1600D0DD43B6C80F98BA770EC\68AB67CA7DA75401B744BA0000000010@IsFullFile 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@PatchGUID {AC76BA86-7AD7-0000-2550-7A8C40011007} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@MediaCabinet PCW_CAB_RDR11007 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@File adobearm.exe Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@ComponentVersion 1.701.3.3014 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@ProductVersion 11.0.0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@PatchSize 82174 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@PatchAttributes 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@PatchSequence 10002 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@SharedComponent 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1BF16734F09DF24787B7AE363E01A86\68AB67CA7DA75401B744BA0000000010@IsFullFile 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{055A7B03-4F2F-5B2F-1127-0CAC8E15F7D8} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{055A7B03-4F2F-5B2F-1127-0CAC8E15F7D8}@jagkhmcfcgocfglobool 0x62 0x61 0x6A 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{055A7B03-4F2F-5B2F-1127-0CAC8E15F7D8}@jagkhmcfcgocfglobocm 0x62 0x61 0x6A 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{772555A8-DA2A-2853-02E7-F85058FFAE29} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{772555A8-DA2A-2853-02E7-F85058FFAE29}@makcmikhcepmailbmlkbelndbd 0x6F 0x61 0x6C 0x69 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{772555A8-DA2A-2853-02E7-F85058FFAE29}@ablcfhoepomigfkfimpfakeblaheieegfm 0x70 0x61 0x6A 0x63 ... ---- Files - GMER 2.1 ---- File C:\ProgramData\IObit\Protected Folder\config.ini 57 bytes File C:\ProgramData\IObit\Protected Folder\drawposs.db 0 bytes File C:\ProgramData\IObit\Protected Folder\fstile.cds 0 bytes ---- EOF - GMER 2.1 ----