GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-22 14:18:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST964032 rev.0002 596,17GB Running: gmer.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\fxldrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f11401 2 bytes JMP 76a6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f11419 2 bytes JMP 76a6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f11431 2 bytes JMP 76ae8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f1144a 2 bytes CALL 76a4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f114dd 2 bytes JMP 76ae8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f114f5 2 bytes JMP 76ae89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f1150d 2 bytes JMP 76ae8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f11525 2 bytes JMP 76ae8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f1153d 2 bytes JMP 76a5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f11555 2 bytes JMP 76a668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f1156d 2 bytes JMP 76ae8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f11585 2 bytes JMP 76ae8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f1159d 2 bytes JMP 76ae86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f115b5 2 bytes JMP 76a5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f115cd 2 bytes JMP 76a6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f116b2 2 bytes JMP 76ae8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f116bd 2 bytes JMP 76ae8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f11401 2 bytes JMP 76a6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f11419 2 bytes JMP 76a6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f11431 2 bytes JMP 76ae8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f1144a 2 bytes CALL 76a4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f114dd 2 bytes JMP 76ae8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f114f5 2 bytes JMP 76ae89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f1150d 2 bytes JMP 76ae8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f11525 2 bytes JMP 76ae8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f1153d 2 bytes JMP 76a5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f11555 2 bytes JMP 76a668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f1156d 2 bytes JMP 76ae8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f11585 2 bytes JMP 76ae8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f1159d 2 bytes JMP 76ae86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f115b5 2 bytes JMP 76a5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f115cd 2 bytes JMP 76a6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f116b2 2 bytes JMP 76ae8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f116bd 2 bytes JMP 76ae8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f11401 2 bytes JMP 76a6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f11419 2 bytes JMP 76a6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f11431 2 bytes JMP 76ae8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f1144a 2 bytes CALL 76a4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f114dd 2 bytes JMP 76ae8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f114f5 2 bytes JMP 76ae89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f1150d 2 bytes JMP 76ae8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f11525 2 bytes JMP 76ae8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f1153d 2 bytes JMP 76a5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f11555 2 bytes JMP 76a668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f1156d 2 bytes JMP 76ae8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f11585 2 bytes JMP 76ae8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f1159d 2 bytes JMP 76ae86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f115b5 2 bytes JMP 76a5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f115cd 2 bytes JMP 76a6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f116b2 2 bytes JMP 76ae8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f116bd 2 bytes JMP 76ae8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f11401 2 bytes JMP 76a6b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f11419 2 bytes JMP 76a6b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f11431 2 bytes JMP 76ae8f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f1144a 2 bytes CALL 76a4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f114dd 2 bytes JMP 76ae8822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f114f5 2 bytes JMP 76ae89f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f1150d 2 bytes JMP 76ae8718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f11525 2 bytes JMP 76ae8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f1153d 2 bytes JMP 76a5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f11555 2 bytes JMP 76a668ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f1156d 2 bytes JMP 76ae8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f11585 2 bytes JMP 76ae8b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f1159d 2 bytes JMP 76ae86dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f115b5 2 bytes JMP 76a5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f115cd 2 bytes JMP 76a6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f116b2 2 bytes JMP 76ae8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f116bd 2 bytes JMP 76ae8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f11401 2 bytes JMP 76a6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f11419 2 bytes JMP 76a6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f11431 2 bytes JMP 76ae8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f1144a 2 bytes CALL 76a4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f114dd 2 bytes JMP 76ae8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f114f5 2 bytes JMP 76ae89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f1150d 2 bytes JMP 76ae8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f11525 2 bytes JMP 76ae8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f1153d 2 bytes JMP 76a5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f11555 2 bytes JMP 76a668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f1156d 2 bytes JMP 76ae8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f11585 2 bytes JMP 76ae8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f1159d 2 bytes JMP 76ae86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f115b5 2 bytes JMP 76a5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f115cd 2 bytes JMP 76a6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f116b2 2 bytes JMP 76ae8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f116bd 2 bytes JMP 76ae8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5380] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076a48781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f11401 2 bytes JMP 76a6b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f11419 2 bytes JMP 76a6b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f11431 2 bytes JMP 76ae8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f1144a 2 bytes CALL 76a4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f114dd 2 bytes JMP 76ae8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f114f5 2 bytes JMP 76ae89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f1150d 2 bytes JMP 76ae8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f11525 2 bytes JMP 76ae8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f1153d 2 bytes JMP 76a5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f11555 2 bytes JMP 76a668ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f1156d 2 bytes JMP 76ae8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f11585 2 bytes JMP 76ae8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f1159d 2 bytes JMP 76ae86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f115b5 2 bytes JMP 76a5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f115cd 2 bytes JMP 76a6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f116b2 2 bytes JMP 76ae8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\GG\Application\ggdrive\ggdrive.exe[6964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f116bd 2 bytes JMP 76ae8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f11401 2 bytes JMP 76a6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f11419 2 bytes JMP 76a6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f11431 2 bytes JMP 76ae8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f1144a 2 bytes CALL 76a4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f114dd 2 bytes JMP 76ae8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f114f5 2 bytes JMP 76ae89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f1150d 2 bytes JMP 76ae8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f11525 2 bytes JMP 76ae8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f1153d 2 bytes JMP 76a5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f11555 2 bytes JMP 76a668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f1156d 2 bytes JMP 76ae8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f11585 2 bytes JMP 76ae8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f1159d 2 bytes JMP 76ae86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f115b5 2 bytes JMP 76a5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f115cd 2 bytes JMP 76a6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f116b2 2 bytes JMP 76ae8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f116bd 2 bytes JMP 76ae8671 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001060e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001060c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001061654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001061a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010618ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa800a5e42c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa800a5e42c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa800a5e42c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa800a5e42c0 Device \FileSystem\Ntfs \Ntfs fffffa80075e62c0 Device \FileSystem\fastfat \Fat fffffa800a6762c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800a5be2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8009bab2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800a5be2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5A4CA4B2-F92B-4BCE-8C5D-E0DD41CB7B26} fffffa8009cb02c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800a5be2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8009cb02c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800a5be2c0 Device \Driver\JMCR \Device\ScsiPort1 fffffa800a5e42c0 Device \Driver\JMCR \Device\ScsiPort2 fffffa800a5e42c0 Device \Driver\JMCR \Device\ScsiPort3 fffffa800a5e42c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa800a5e42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{41DA234B-8B14-4F40-AC7D-2B9F6141584D} fffffa8009cb02c0 ---- Processes - GMER 2.1 ---- Process C:\Users\Kuba\AppData\Local\Temp\Rar$EXa0.394\gmer.exe (*** suspicious ***) @ C:\Users\Kuba\AppData\Local\Temp\Rar$EXa0.394\gmer.exe [6484](2015-07-22 11:28:41) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dbcec5f Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dbcec5f (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes File C:\Users\Kuba\AppData\Roaming\Microsoft\Windows\Cookies\Low\D252HP3J.txt 170 bytes ---- EOF - GMER 2.1 ----