GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-02 14:14:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545050B9A300 rev.PB4OC64G 465,76GB Running: jhnmqgsg.exe; Driver: C:\Users\Alicja\AppData\Local\Temp\kwrdypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000761d1401 2 bytes JMP 7685b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000761d1419 2 bytes JMP 7685b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000761d1431 2 bytes JMP 768d8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000761d144a 2 bytes CALL 7683489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761d14dd 2 bytes JMP 768d8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761d14f5 2 bytes JMP 768d89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000761d150d 2 bytes JMP 768d8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000761d1525 2 bytes JMP 768d8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000761d153d 2 bytes JMP 7684fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000761d1555 2 bytes JMP 768568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000761d156d 2 bytes JMP 768d8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000761d1585 2 bytes JMP 768d8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000761d159d 2 bytes JMP 768d86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761d15b5 2 bytes JMP 7684fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761d15cd 2 bytes JMP 7685b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761d16b2 2 bytes JMP 768d8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2384] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761d16bd 2 bytes JMP 768d8671 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 00000000761d1401 2 bytes JMP 7685b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 00000000761d1419 2 bytes JMP 7685b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 00000000761d1431 2 bytes JMP 768d8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 00000000761d144a 2 bytes CALL 7683489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000761d14dd 2 bytes JMP 768d8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000761d14f5 2 bytes JMP 768d89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 00000000761d150d 2 bytes JMP 768d8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 00000000761d1525 2 bytes JMP 768d8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 00000000761d153d 2 bytes JMP 7684fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 00000000761d1555 2 bytes JMP 768568ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 00000000761d156d 2 bytes JMP 768d8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 00000000761d1585 2 bytes JMP 768d8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 00000000761d159d 2 bytes JMP 768d86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000761d15b5 2 bytes JMP 7684fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000761d15cd 2 bytes JMP 7685b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000761d16b2 2 bytes JMP 768d8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe[2408] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000761d16bd 2 bytes JMP 768d8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 000000006e4f17fa 2 bytes CALL 768311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 000000006e4f1860 2 bytes CALL 768311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 000000006e4f1942 2 bytes JMP 74b17089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000006e4f194d 2 bytes JMP 74b1cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000761d1401 2 bytes JMP 7685b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000761d1419 2 bytes JMP 7685b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000761d1431 2 bytes JMP 768d8f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000761d144a 2 bytes CALL 7683489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761d14dd 2 bytes JMP 768d8822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761d14f5 2 bytes JMP 768d89f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000761d150d 2 bytes JMP 768d8718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000761d1525 2 bytes JMP 768d8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000761d153d 2 bytes JMP 7684fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000761d1555 2 bytes JMP 768568ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000761d156d 2 bytes JMP 768d8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000761d1585 2 bytes JMP 768d8b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000761d159d 2 bytes JMP 768d86dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761d15b5 2 bytes JMP 7684fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761d15cd 2 bytes JMP 7685b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761d16b2 2 bytes JMP 768d8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761d16bd 2 bytes JMP 768d8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\explorer.exe[3320] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefd787490 5 bytes JMP 000007fffa480060 .text C:\Windows\explorer.exe[3320] C:\Windows\system32\dwmapi.dll!DwmExtendFrameIntoClientArea 000007fefa493430 5 bytes JMP 000007fffa480010 .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000761d1401 2 bytes JMP 7685b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000761d1419 2 bytes JMP 7685b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000761d1431 2 bytes JMP 768d8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000761d144a 2 bytes CALL 7683489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761d14dd 2 bytes JMP 768d8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761d14f5 2 bytes JMP 768d89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000761d150d 2 bytes JMP 768d8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000761d1525 2 bytes JMP 768d8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000761d153d 2 bytes JMP 7684fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000761d1555 2 bytes JMP 768568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000761d156d 2 bytes JMP 768d8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000761d1585 2 bytes JMP 768d8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000761d159d 2 bytes JMP 768d86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761d15b5 2 bytes JMP 7684fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761d15cd 2 bytes JMP 7685b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761d16b2 2 bytes JMP 768d8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Clover\clover.exe[5096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761d16bd 2 bytes JMP 768d8671 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [5096] entry point in ".rdata" section 00000000713b71e6 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001030e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001030c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001031654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001031a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010318ac] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa8003b12840] [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_onexit] [1191b0cb1192b1ca] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_lock] [1191b1cc1190b0cb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__dllonexit] [109eb8d01196b3cd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_unlock] [e8dabca10a2b9d1] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!?terminate@@YAXXZ] [c6b96c10d638fbb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [b7ca2cc0c7da3cb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_amsg_exit] [886add20a7ea5cd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_initterm] [59fc3e60692b8db] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_XcptFilter] [2c8e9fd03b1d5f4] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memset] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!malloc] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcsstr] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_ui64tow] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!vswprintf_s] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vscwprintf] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wcsicmp] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstok_s] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!iswspace] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcmp] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstol] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcscspn] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!calloc] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!free] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memmove_s] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy_s] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wsplitpath_s] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vsnwprintf] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!sqrtf] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!logf] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__CxxFrameHandler3] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_CxxThrowException] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!ceilf] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateToolhelp32Snapshot] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentThreadId] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Sleep] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareStringOrdinal] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersion] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalFree] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetLastError] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeactivateActCtx] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLastError] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcAddress] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ActivateActCtx] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindActCtxSectionStringW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateActCtxW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleFileNameW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleExW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryActCtxW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OutputDebugStringA] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CloseHandle] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForSingleObject] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateEventW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetEvent] [aa3f8d30aa8fed7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeleteFileW] [c99e6c20b9dedc8] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareFileTime] [aa8f9dc0c9aebc6] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrlenW] [8ddffff09c4fff6] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFileAttributesW] [aeaffff08e7ffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateFileW] [1cc3fff614e1fffd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalFree] [3196edba26a5f8d8] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateThread] [2bc8f7d234a2f1be] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalAlloc] [20ebfade22e4f7d7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpW] [34c3f2d126e8fcec] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpiW] [45d9f5c343bce7b4] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FreeLibrary] [45eafbd845e9fbd7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SizeofResource] [45b5e5a045dcf7c4] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LockResource] [4591cf8e459cd691] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadResource] [4596d192458fcd8e] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceW] [45e0f4d545afdea4] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceExW] [45eef8eb45edf8eb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileAttributesW] [45b6ddb545e6f6e0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTime] [4497c5af4599caa8] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToTzSpecificLocalTime] [41aacdc3429dc7b7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForMultipleObjects] [44e4f0eb42bad6cd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToSystemTime] [45fdfefd45fdfefd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalAlloc] [45cddedf45fbfcfa] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalReAlloc] [449bbcc945a4c3cb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToFileTime] [4591b5c54593b6c6] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTickCount] [3f89b3c34390b5c4] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32FirstW] [33a0bfcc3da4c2ce] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReadFile] [18b1d1cd25a6c8ce] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WriteFile] [119fc5bd119ec4bc] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFilePointerEx] [11a6c8c111a2c6bf] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FlushFileBuffers] [11bad5cd11a9cac2] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileInformationByHandle] [11e6f0ed11d4e4de] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalSize] [11eff3f311ebf1ef] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalLock] [11fefefe11f8f9f9] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalUnlock] [11f8fbfb11ffffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcessId] [11e4edee11eaf2f2] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToLocalFileTime] [11cedee411dde8ec] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDateFormatW] [119cbacb11b2c9d4] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTimeFormatW] [1198b6cb119cbacd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FormatMessageW] [1191b1c91194b2c9] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReleaseActCtx] [1191b0cc1192b1cb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [1098b4cd1193b0cb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DosDateTimeToFileTime] [f9bb4cf10a6bcd3] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!EnumUILanguagesW] [c6894bf0d6f97bd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetUserDefaultUILanguage] [c7aa2ca0c729dc7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLocaleInfoW] [97fa7cf0b79a1cb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDriveTypeW] [597bce0078bb3d7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessHeap] [1f3ffff02d5f9fe] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapFree] [1ffffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DisableThreadLibraryCalls] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemDirectoryW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetNumberFormatW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!MulDiv] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTempPathW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateDirectoryW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TzSpecificLocalTimeToSystemTime] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceCounter] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceFrequency] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ResetEvent] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryExA] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DelayLoadFailureHook] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapDestroy] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RaiseException] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersionExA] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TerminateProcess] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcess] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!UnhandledExceptionFilter] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlVirtualUnwind] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlLookupFunctionEntry] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlCaptureContext] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32NextW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OpenProcess] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessTimes] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptAcquireContextW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptImportKey] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptCreateHash] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptHashData] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptSignHashW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyHash] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyKey] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptReleaseContext] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegCloseKey] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegOpenKeyExW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegQueryValueExW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegEnumKeyW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetDeviceCaps] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteDC] [aa9fed909acffdd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPoint32W] [b9dedc90aa4f7d3] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetStockObject] [c97e8c30c97e8c0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPointW] [9bffff00ba7f3d8] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateDIBSection] [7deffff08d5fffd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteObject] [eeeffff08e3ffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateCompatibleDC] [25a8f9de1acdfdf9] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrRetToBufW] [23eefef121edfae2] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetThreadRef] [40bee5b82bcff4df] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHRegGetValueW] [45daf7c245e9fbd6] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrIW] [4591cf8f4593d08e] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathCombineW] [45fdfefe45eff7f2] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpIW] [4592b6c64598b9c7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrW] [428ab1c24595b7c7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCSpnW] [3aa4c2cf3f95bac9] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindFileNameW] [1eadcdcf2da3c2cc] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrFormatByteSizeW] [119ec5bc14abcdc5] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpW] [11a3c7c011a1c5be] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetValueW] [11adcdc511a5c7c1] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpLogicalW] [11ebf2f111e7f0ed] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveBlanksW] [11fbfcfb11f0f4f4] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocQueryKeyW] [11fefefe11ffffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveExtensionW] [11e7eff011f4f8f8] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHStrDupW] [11dbe7ea11dee8eb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathStripPathW] [11a9c1d011c3d5de] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAddBackslashW] [1199b8cb119dbbcd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAppendW] [1194b4ca1196b5ca] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocCreate] [1191b0cb1193b2cb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindExtensionW] [1196b2cc1191afcb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveFileSpecW] [c78a0c90b6191be] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnregisterClassA] [3aed5f5059cc2e7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DialogBoxParamW] [1e6fdff02c7eefd] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!InsertMenuW] [1fbffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CharNextW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RemoveMenu] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSubMenu] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!TrackPopupMenu] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetFocus] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetForegroundWindow] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetForegroundWindow] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetShellWindow] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadMenuW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyMenu] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadStringW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassNameW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetMenuDefaultItem] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadIconW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowTextW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetDlgItemTextW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EndDialog] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgItem] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongPtrW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongPtrW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsDlgButtonChecked] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnhookWindowsHookEx] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendDlgItemMessageW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CheckDlgButton] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EnableWindow] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ShowWindow] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClientRect] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSystemMetrics] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadImageW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetParent] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsChild] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CallNextHookEx] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CreateWindowExW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowPos] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowsHookExW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDC] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ReleaseDC] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowRect] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ScreenToClient] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetTimer] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!KillTimer] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!PostMessageW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgCtrlID] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyIcon] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowTextW] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CopyImage] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSysColor] [0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetCursorPos] [9aeffdf08b3ffe8] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassInfoW] [c96e4be0b9ff0ca] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadCursorW] [ba1f7d50c95e7c2] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClassW] [8cefffa0ab6fee9] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!FindWindowW] [7e0ffff07daffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindow] [17d7fffa0cecffff] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowThreadProcessId] [2e9ef2c423adf6df] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageTimeoutW] [30b5f8cb349ef2bb] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SwitchToThisWindow] [22edfae326dcf9da] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetLastActivePopup] [26d6f4e420f2fdf2] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyWindow] [45d7f4bf3fbde5b7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClipboardFormatW] [45e8fbd545e8fad7] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemInfoW] [45b7e6a145d9f6c0] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemCount] [4596d28f459dd792] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeSetEvent] [45e9f7e145c0e7b2] IAT C:\Windows\explorer.exe[3320] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeKillEvent] [45eff8ea45eef8ec] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8003b2a2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003b2a2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003b2a2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8003b2a2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8003b2a2c0 Device \FileSystem\Ntfs \Ntfs fffffa800450d2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8005a6d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800504c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{7BF181E7-6BDD-48C4-BA3A-FFEF704A17F4} fffffa80050b02c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8005a6d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{84BF902C-F94B-4F63-BEC6-494293C5467B} fffffa80050b02c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8005a6d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80050b02c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003b2a2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8005a6d2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003b2a2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8003b2a2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8003b2a2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8003b2a2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004cfe060] fffffa8004cfe060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004a4b1f0] fffffa8004a4b1f0 Trace \Driver\atapi[0xfffffa80049a2bf0] -> IRP_MJ_CREATE -> 0xfffffa8003b2a2c0 fffffa8003b2a2c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4352:3464] 000007fefa9b2bf8 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1192] (GG drive overlay/GG Network S.A.)(2015-02-22 15:50:26) 000000005c080000 Library c:\users\alicja\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpsrlks2.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-07-02 10:33:24) 0000000002440000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:24) 000000006d0f0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (ICU I18N DLL/The ICU Project)(2015-03-04 21:45:30) 000000004a900000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (ICU Common DLL/The ICU Project)(2015-03-04 21:45:30) 0000000005a80000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (ICU Data DLL/The ICU Project)(2015-03-04 21:45:30) 000000004ad00000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 0000000067c20000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006c5c0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-03-04 21:45:30) 000000006ce80000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000672e0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000662f0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000660d0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065e70000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006e9c0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-03-04 21:45:30) 000000006fab0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 000000006e5a0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065870000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000065820000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-03-04 21:45:30) 00000000653b0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-03-04 21:45:30) 0000000064980000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\QtQuick.2\qtquick2plugin.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-03-04 21:45:30) 0000000061700000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\QtQuick\Controls\qtquickcontrolsplugin.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-03-04 21:45:30) 00000000615d0000 Library C:\Users\Alicja\AppData\Roaming\Dropbox\bin\QtQuick\Window.2\windowplugin.dll (*** suspicious ***) @ C:\Users\Alicja\AppData\Roaming\Dropbox\bin\Dropbox.exe [2408](2015-03-04 21:45:30) 00000000615c0000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\explorer.exe [3320] (GG drive overlay/GG Network S.A.)(2015-02-22 15:50:26) 000000005c080000 Library C:\Users\Alicja\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\explorer.exe [3320] (GG drive menu/GG Network S.A.)(2 0000000007e10000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x86 0xE1 0x51 0xA6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x86 0xE1 0x51 0xA6 ... ---- EOF - GMER 2.1 ----