GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-28 19:33:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.D005 465,76GB Running: gmer.exe; Driver: C:\Users\tomek\AppData\Local\Temp\fwldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ce1401 2 bytes JMP 7688b21b C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ce1419 2 bytes JMP 7688b346 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ce1431 2 bytes JMP 76908f29 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ce144a 2 bytes CALL 7686489d C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ce14dd 2 bytes JMP 76908822 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ce14f5 2 bytes JMP 769089f8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ce150d 2 bytes JMP 76908718 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ce1525 2 bytes JMP 76908ae2 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ce153d 2 bytes JMP 7687fca8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ce1555 2 bytes JMP 768868ef C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ce156d 2 bytes JMP 76908fe3 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ce1585 2 bytes JMP 76908b42 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ce159d 2 bytes JMP 769086dc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ce15b5 2 bytes JMP 7687fd41 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ce15cd 2 bytes JMP 7688b2dc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ce16b2 2 bytes JMP 76908ea4 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1532] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ce16bd 2 bytes JMP 76908671 C:\windows\syswow64\KERNEL32.dll .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcbe2db0 5 bytes JMP 000007fffcbd0180 .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcbe37d0 7 bytes JMP 000007fffcbd00d8 .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcbea410 2 bytes JMP 000007fffcbd0110 .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefcbea413 2 bytes [FE, FF] .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcbeaec0 6 bytes JMP 000007fffcbd0148 .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefcfb89e0 8 bytes JMP 000007fffcbd01f0 .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefcfbbe40 8 bytes JMP 000007fffcbd01b8 .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\dxgi.dll!CreateDXGIFactory 000007fef8aedc88 5 bytes JMP 000007fff8ac00d8 .text C:\windows\system32\Dwm.exe[1688] C:\windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef8aede10 5 bytes JMP 000007fff8ac0110 .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\SysWOW64\WSOCK32.dll!recv + 82 0000000071e317fa 2 bytes CALL 768611a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000071e31860 2 bytes CALL 768611a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000071e31942 2 bytes JMP 76617089 C:\windows\syswow64\WS2_32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000071e3194d 2 bytes JMP 7661cba6 C:\windows\syswow64\WS2_32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ce1401 2 bytes JMP 7688b21b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ce1419 2 bytes JMP 7688b346 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ce1431 2 bytes JMP 76908f29 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ce144a 2 bytes CALL 7686489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ce14dd 2 bytes JMP 76908822 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ce14f5 2 bytes JMP 769089f8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ce150d 2 bytes JMP 76908718 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ce1525 2 bytes JMP 76908ae2 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ce153d 2 bytes JMP 7687fca8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ce1555 2 bytes JMP 768868ef C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ce156d 2 bytes JMP 76908fe3 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ce1585 2 bytes JMP 76908b42 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ce159d 2 bytes JMP 769086dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ce15b5 2 bytes JMP 7687fd41 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ce15cd 2 bytes JMP 7688b2dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ce16b2 2 bytes JMP 76908ea4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ce16bd 2 bytes JMP 76908671 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ce1401 2 bytes JMP 7688b21b C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ce1419 2 bytes JMP 7688b346 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ce1431 2 bytes JMP 76908f29 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ce144a 2 bytes CALL 7686489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ce14dd 2 bytes JMP 76908822 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ce14f5 2 bytes JMP 769089f8 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ce150d 2 bytes JMP 76908718 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ce1525 2 bytes JMP 76908ae2 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ce153d 2 bytes JMP 7687fca8 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ce1555 2 bytes JMP 768868ef C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ce156d 2 bytes JMP 76908fe3 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ce1585 2 bytes JMP 76908b42 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ce159d 2 bytes JMP 769086dc C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ce15b5 2 bytes JMP 7687fd41 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ce15cd 2 bytes JMP 7688b2dc C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ce16b2 2 bytes JMP 76908ea4 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2188] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ce16bd 2 bytes JMP 76908671 C:\windows\syswow64\kernel32.dll .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076aaa3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076ab3f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076acffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076adf350 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076b09aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076b19530 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076b38850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcbe2db0 5 bytes JMP 000007fffcbd0180 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcbe37d0 7 bytes JMP 000007fffcbd00d8 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcbea410 2 bytes JMP 000007fffcbd0110 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefcbea413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcbeaec0 6 bytes JMP 000007fffcbd0148 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefcfb89e0 8 bytes JMP 000007fffcbd01f0 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefcfbbe40 8 bytes JMP 000007fffcbd01b8 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdff7490 11 bytes JMP 000007fffcbd0228 .text C:\Program Files\DellTPad\Apoint.exe[2244] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe00bf00 7 bytes JMP 000007fffcbd0260 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076aaa3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076ab3f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076acffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076adf350 5 bytes JMP 000000016fff0110 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076b09aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076b19530 5 bytes JMP 000000016fff0148 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076b38850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcbe2db0 5 bytes JMP 000007fffcbd0180 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcbe37d0 7 bytes JMP 000007fffcbd00d8 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcbea410 2 bytes JMP 000007fffcbd0110 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefcbea413 2 bytes [FE, FF] .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcbeaec0 6 bytes JMP 000007fffcbd0148 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefcfb89e0 8 bytes JMP 000007fffcbd01f0 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefcfbbe40 8 bytes JMP 000007fffcbd01b8 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdff7490 11 bytes JMP 000007fffcbd0228 .text C:\Program Files\IDT\WDM\sttray64.exe[2280] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe00bf00 7 bytes JMP 000007fffcbd0260 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076aaa3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076ab3f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076acffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076adf350 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076b09aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076b19530 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076b38850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcbe2db0 5 bytes JMP 000007fffcbd0180 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcbe37d0 7 bytes JMP 000007fffcbd00d8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcbea410 2 bytes JMP 000007fffcbd0110 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefcbea413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcbeaec0 6 bytes JMP 000007fffcbd0148 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefcfb89e0 8 bytes JMP 000007fffcbd01f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2632] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefcfbbe40 8 bytes JMP 000007fffcbd01b8 .text C:\Program Files\DellTPad\HidFind.exe[2404] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcbe2db0 5 bytes JMP 000007fffcbd0180 .text C:\Program Files\DellTPad\HidFind.exe[2404] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcbe37d0 7 bytes JMP 000007fffcbd00d8 .text C:\Program Files\DellTPad\HidFind.exe[2404] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcbea410 2 bytes JMP 000007fffcbd0110 .text C:\Program Files\DellTPad\HidFind.exe[2404] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefcbea413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\HidFind.exe[2404] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcbeaec0 6 bytes JMP 000007fffcbd0148 .text C:\Program Files\DellTPad\HidFind.exe[2404] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefcfb89e0 8 bytes JMP 000007fffcbd01f0 .text C:\Program Files\DellTPad\HidFind.exe[2404] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefcfbbe40 8 bytes JMP 000007fffcbd01b8 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076aaa3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076ab3f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076acffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076adf350 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076b09aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076b19530 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076b38850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcbe2db0 5 bytes JMP 000007fffcbd0180 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcbe37d0 7 bytes JMP 000007fffcbd00d8 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcbea410 2 bytes JMP 000007fffcbd0110 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefcbea413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcbeaec0 6 bytes JMP 000007fffcbd0148 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefcfb89e0 8 bytes JMP 000007fffcbd01f0 .text C:\Program Files\DellTPad\Apntex.exe[572] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefcfbbe40 8 bytes JMP 000007fffcbd01b8 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076ebfc9c 5 bytes JMP 000000007ef938b1 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076861efe 7 bytes JMP 0000000174363550 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076908ea4 7 bytes JMP 0000000174363310 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076908f29 5 bytes JMP 00000001743633c0 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076909281 5 bytes JMP 0000000174363320 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000762a1d29 5 bytes JMP 00000001743632b0 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000762a1dd7 5 bytes JMP 0000000174363270 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000762a2ab1 5 bytes JMP 00000001743633d0 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000762a2d1d 5 bytes JMP 00000001743630b0 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000074ec8a29 5 bytes JMP 0000000174362c60 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000074ed4572 5 bytes JMP 0000000174363030 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000074eee567 5 bytes JMP 00000001743630a0 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074f27a5c 5 bytes JMP 0000000174363020 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000748ce96b 5 bytes JMP 0000000174362cd0 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000748ceba5 5 bytes JMP 0000000174362ce0 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\ws2_32.dll!GetAddrInfoW 0000000076614889 5 bytes JMP 000000007ef943bd .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ce1401 2 bytes JMP 7688b21b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ce1419 2 bytes JMP 7688b346 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ce1431 2 bytes JMP 76908f29 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ce144a 2 bytes CALL 7686489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ce14dd 2 bytes JMP 76908822 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ce14f5 2 bytes JMP 769089f8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ce150d 2 bytes JMP 76908718 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ce1525 2 bytes JMP 76908ae2 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ce153d 2 bytes JMP 7687fca8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ce1555 2 bytes JMP 768868ef C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ce156d 2 bytes JMP 76908fe3 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ce1585 2 bytes JMP 76908b42 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ce159d 2 bytes JMP 769086dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ce15b5 2 bytes JMP 7687fd41 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ce15cd 2 bytes JMP 7688b2dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ce16b2 2 bytes JMP 76908ea4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\msiexec.exe[3464] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ce16bd 2 bytes JMP 76908671 C:\windows\syswow64\kernel32.dll .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076861efe 7 bytes JMP 0000000174363550 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\kernel32.dll!RegSetValueExW 0000000076865b9d 7 bytes JMP 00000001743637f0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000768713f9 7 bytes JMP 0000000174363650 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 000000007687ea45 7 bytes JMP 0000000174363540 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076908ea4 7 bytes JMP 0000000174363310 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076908f29 5 bytes JMP 00000001743633c0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076909281 5 bytes JMP 0000000174363320 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000762a1d29 5 bytes JMP 00000001743632b0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000762a1dd7 5 bytes JMP 0000000174363270 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000762a2ab1 5 bytes JMP 00000001743633d0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000762a2d1d 5 bytes JMP 00000001743630b0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000748ce96b 5 bytes JMP 0000000174362cd0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000748ceba5 5 bytes JMP 0000000174362ce0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000074ec8a29 5 bytes JMP 0000000174362c60 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000074ed4572 5 bytes JMP 0000000174363030 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000074eee567 5 bytes JMP 00000001743630a0 .text C:\Users\tomek\Desktop\gmer.exe[5064] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074f27a5c 5 bytes JMP 0000000174363020 ---- Threads - GMER 2.1 ---- Thread C:\windows\SysWOW64\msiexec.exe [3464:3488] 000000007ef9392e ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1776] (GG drive overlay/GG Network S.A.)(2015-02-23 16:45:51) 000000005c080000 Library C:\Users\tomek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1776] (GG drive menu/GG Network S.A.)(201 000000005ff80000 Process C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe (*** suspicious ***) @ C:\Users\tomek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [2188] (Microsoft® Volume Shadow Copy Service/Microsoft Corporation)(2015-06-23 08:31:31) 0000000000400000 Library C:\Users\tomek\AppData\Local\Temp\cdo1549757249.dll (*** suspicious ***) @ C:\windows\SysWOW64\msiexec.exe [3464] (Microsoft CDO for Windows Library/Microsoft Corporation)(2015-06-24 12:08:16) 00000000002a0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015007f6c3b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc7737048afc Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e4d53d000e54 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e4d53d000e54@10f9ee48418c 0x78 0xCF 0x01 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F9A587A2-2AAB-4F24-A5C0-DF8161868DBC}@LeaseObtainedTime 1435508452 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F9A587A2-2AAB-4F24-A5C0-DF8161868DBC}@T1 1435512052 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F9A587A2-2AAB-4F24-A5C0-DF8161868DBC}@T2 1435514752 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F9A587A2-2AAB-4F24-A5C0-DF8161868DBC}@LeaseTerminatesTime 1435515652 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc7737048afc (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e4d53d000e54 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e4d53d000e54@10f9ee48418c 0x78 0xCF 0x01 0x1A ... ---- EOF - GMER 2.1 ----