GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-10 14:29:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: f7hp56rl.exe; Driver: C:\Users\Kanon\AppData\Local\Temp\agtiqpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 000000007776929a 6 bytes JMP 71a5000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\kernel32.dll!CreateThread 0000000075fa3485 6 bytes JMP 71af000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000075fa48e3 6 bytes JMP 71a8000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fa8781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075112c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076291401 2 bytes JMP 75fcb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076291419 2 bytes JMP 75fcb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076291431 2 bytes JMP 76048f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007629144a 2 bytes CALL 75fa489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762914dd 2 bytes JMP 76048822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762914f5 2 bytes JMP 760489f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007629150d 2 bytes JMP 76048718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076291525 2 bytes JMP 76048ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007629153d 2 bytes JMP 75fbfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076291555 2 bytes JMP 75fc68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007629156d 2 bytes JMP 76048fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076291585 2 bytes JMP 76048b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007629159d 2 bytes JMP 760486dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762915b5 2 bytes JMP 75fbfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762915cd 2 bytes JMP 75fcb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762916b2 2 bytes JMP 76048ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[888] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762916bd 2 bytes JMP 76048671 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[2056] C:\windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 000000007776929a 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[2056] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007776af7d 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[2056] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fa8781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[2056] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075112c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 000000007776929a 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007776af7d 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fa8781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075112c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076291401 2 bytes JMP 75fcb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076291419 2 bytes JMP 75fcb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076291431 2 bytes JMP 76048f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007629144a 2 bytes CALL 75fa489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762914dd 2 bytes JMP 76048822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762914f5 2 bytes JMP 760489f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007629150d 2 bytes JMP 76048718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076291525 2 bytes JMP 76048ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007629153d 2 bytes JMP 75fbfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076291555 2 bytes JMP 75fc68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007629156d 2 bytes JMP 76048fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076291585 2 bytes JMP 76048b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007629159d 2 bytes JMP 760486dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762915b5 2 bytes JMP 75fbfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762915cd 2 bytes JMP 75fcb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762916b2 2 bytes JMP 76048ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[2380] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762916bd 2 bytes JMP 76048671 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fa8781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076291401 2 bytes JMP 75fcb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076291419 2 bytes JMP 75fcb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076291431 2 bytes JMP 76048f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007629144a 2 bytes CALL 75fa489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762914dd 2 bytes JMP 76048822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762914f5 2 bytes JMP 760489f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007629150d 2 bytes JMP 76048718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076291525 2 bytes JMP 76048ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007629153d 2 bytes JMP 75fbfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076291555 2 bytes JMP 75fc68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007629156d 2 bytes JMP 76048fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076291585 2 bytes JMP 76048b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007629159d 2 bytes JMP 760486dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762915b5 2 bytes JMP 75fbfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762915cd 2 bytes JMP 75fcb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762916b2 2 bytes JMP 76048ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762916bd 2 bytes JMP 76048671 C:\windows\syswow64\kernel32.dll .text C:\windows\Explorer.EXE[3140] C:\windows\system32\kernel32.dll!CreateProcessW 0000000077350660 6 bytes {JMP QWORD [RIP+0x8ccf9d0]} .text C:\windows\Explorer.EXE[3140] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd35a6f5 3 bytes CALL 3000025 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\bavhm.exe[4012] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd3499f2 3 bytes [0A, 66, 06] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007776af7d 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fa8781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075112c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!GetScrollInfo 0000000075894018 7 bytes JMP 000000016e37b740 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!SetScrollInfo 00000000758940cf 7 bytes JMP 000000016e37b560 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!ShowScrollBar 0000000075894162 5 bytes JMP 000000016e37bba0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!GetScrollPos 0000000075894234 5 bytes JMP 000000016e37b910 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!SetScrollPos 00000000758987a5 5 bytes JMP 000000016e37b810 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!EnableScrollBar 0000000075898d3a 7 bytes JMP 000000016e37bbe0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!GetScrollRange 00000000758990c4 5 bytes JMP 000000016e37bae0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\USER32.dll!SetScrollRange 00000000758ad50b 5 bytes JMP 000000016e37b990 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076291401 2 bytes JMP 75fcb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076291419 2 bytes JMP 75fcb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076291431 2 bytes JMP 76048f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007629144a 2 bytes CALL 75fa489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762914dd 2 bytes JMP 76048822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762914f5 2 bytes JMP 760489f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007629150d 2 bytes JMP 76048718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076291525 2 bytes JMP 76048ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007629153d 2 bytes JMP 75fbfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076291555 2 bytes JMP 75fc68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007629156d 2 bytes JMP 76048fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076291585 2 bytes JMP 76048b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007629159d 2 bytes JMP 760486dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762915b5 2 bytes JMP 75fbfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762915cd 2 bytes JMP 75fcb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762916b2 2 bytes JMP 76048ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[4900] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762916bd 2 bytes JMP 76048671 C:\windows\syswow64\kernel32.dll ? C:\windows\system32\mssprxy.dll [4900] entry point in ".rdata" section 00000000706e71e6 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 000000007776929a 6 bytes JMP 71a5000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\kernel32.dll!CreateThread 0000000075fa3485 6 bytes JMP 71af000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000075fa48e3 6 bytes JMP 71a8000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fa8781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075112c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!GetScrollInfo 0000000075894018 7 bytes JMP 000000016eb0c080 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!SetScrollInfo 00000000758940cf 7 bytes JMP 000000016eb0bea0 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!ShowScrollBar 0000000075894162 5 bytes JMP 000000016eb0c4e0 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!GetScrollPos 0000000075894234 5 bytes JMP 000000016eb0c250 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!SetScrollPos 00000000758987a5 5 bytes JMP 000000016eb0c150 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!EnableScrollBar 0000000075898d3a 7 bytes JMP 000000016eb0c520 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!GetScrollRange 00000000758990c4 5 bytes JMP 000000016eb0c420 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!IsDialogMessage 00000000758a50ed 5 bytes JMP 000000016eb11260 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!IsDialogMessageW 00000000758ac701 5 bytes JMP 000000016eb11260 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\USER32.dll!SetScrollRange 00000000758ad50b 5 bytes JMP 000000016eb0c2d0 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076291401 2 bytes JMP 75fcb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076291419 2 bytes JMP 75fcb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076291431 2 bytes JMP 76048f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007629144a 2 bytes CALL 75fa489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762914dd 2 bytes JMP 76048822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762914f5 2 bytes JMP 760489f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007629150d 2 bytes JMP 76048718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076291525 2 bytes JMP 76048ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007629153d 2 bytes JMP 75fbfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076291555 2 bytes JMP 75fc68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007629156d 2 bytes JMP 76048fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076291585 2 bytes JMP 76048b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007629159d 2 bytes JMP 760486dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762915b5 2 bytes JMP 75fbfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762915cd 2 bytes JMP 75fcb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762916b2 2 bytes JMP 76048ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFTray.exe[4156] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762916bd 2 bytes JMP 76048671 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076291401 2 bytes JMP 75fcb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076291419 2 bytes JMP 75fcb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076291431 2 bytes JMP 76048f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007629144a 2 bytes CALL 75fa489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762914dd 2 bytes JMP 76048822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762914f5 2 bytes JMP 760489f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007629150d 2 bytes JMP 76048718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076291525 2 bytes JMP 76048ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007629153d 2 bytes JMP 75fbfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076291555 2 bytes JMP 75fc68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007629156d 2 bytes JMP 76048fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076291585 2 bytes JMP 76048b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007629159d 2 bytes JMP 760486dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762915b5 2 bytes JMP 75fbfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762915cd 2 bytes JMP 75fcb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762916b2 2 bytes JMP 76048ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5484] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762916bd 2 bytes JMP 76048671 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 000000007776929a 6 bytes JMP 71a5000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\kernel32.dll!CreateThread 0000000075fa3485 6 bytes JMP 71af000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000075fa48e3 6 bytes JMP 71a8000a .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075fa8781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075112c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076291401 2 bytes JMP 75fcb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076291419 2 bytes JMP 75fcb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076291431 2 bytes JMP 76048f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007629144a 2 bytes CALL 75fa489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762914dd 2 bytes JMP 76048822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762914f5 2 bytes JMP 760489f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007629150d 2 bytes JMP 76048718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076291525 2 bytes JMP 76048ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007629153d 2 bytes JMP 75fbfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076291555 2 bytes JMP 75fc68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007629156d 2 bytes JMP 76048fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076291585 2 bytes JMP 76048b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007629159d 2 bytes JMP 760486dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762915b5 2 bytes JMP 75fbfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762915cd 2 bytes JMP 75fcb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762916b2 2 bytes JMP 76048ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PC Faster\5.1.0.0\PCFasterSvc.exe[3280] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762916bd 2 bytes JMP 76048671 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\svchost.exe [1396:2744] 000007feeb606ed4 Thread C:\windows\system32\svchost.exe [1396:6120] 000007feeb606b8c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4860:4760] 000007fefb842bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4860:4392] 000007feed2ecf60 Thread C:\windows\System32\svchost.exe [5480:524] 000007feeaf39688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395745d82 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a827a1093 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395745d82 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a827a1093 (not active ControlSet) ---- EOF - GMER 2.1 ----