GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-25 22:44:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-001CA0 rev.15.01H15 465,76GB Running: gmer.exe; Driver: C:\Users\zawada\AppData\Local\Temp\pwloypow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000171f00 7 bytes [40, A7, F3, FF, 01, B5, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000171f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2024] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2024] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[2632] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Windows\Explorer.EXE[2632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Windows\Explorer.EXE[2632] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[2644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2816] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2816] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2880] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3032] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3032] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3032] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3032] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3032] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2344] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2344] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000075311a22 2 bytes [31, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000075311ad0 2 bytes [31, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000075311b08 2 bytes [31, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000075311bba 2 bytes [31, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000075311bda 2 bytes [31, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 00000001777c0128 .text C:\Windows\system32\svchost.exe[2920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 00000001777c0018 .text C:\Windows\system32\svchost.exe[2920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000777c00a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3528] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3528] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3544] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3560] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\svchost.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 00000001777c0128 .text C:\Windows\system32\svchost.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 00000001777c0018 .text C:\Windows\system32\svchost.exe[4008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000777c00a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[1188] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\conhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Windows\system32\conhost.exe[3228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Windows\system32\conhost.exe[3228] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3252] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\svchost.exe[3920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 00000001777c0128 .text C:\Windows\system32\svchost.exe[3920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 00000001777c0018 .text C:\Windows\system32\svchost.exe[3920] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000777c00a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4132] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4132] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4132] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4132] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075bc1bb2 5 bytes JMP 000000010129f63e .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075da1465 2 bytes [DA, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075da14bb 2 bytes [DA, 75] .text ... * 2 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4144] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Windows\SysWOW64\ctfmon.exe[4240] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Windows\SysWOW64\ctfmon.exe[4240] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Windows\SysWOW64\ctfmon.exe[4240] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Windows\System32\svchost.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 00000001777c0128 .text C:\Windows\System32\svchost.exe[4596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 00000001777c0018 .text C:\Windows\System32\svchost.exe[4596] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000777c00a0 .text C:\Windows\system32\conhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Windows\system32\conhost.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Windows\system32\conhost.exe[4752] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc40 5 bytes JMP 000000016b0219c0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5172] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe04 5 bytes JMP 000000016b0215e0 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[5172] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075dd3bf3 5 bytes JMP 000000016b021750 .text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 00000001777c0128 .text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 00000001777c0018 .text C:\Windows\system32\svchost.exe[3832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000777c00a0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077821590 5 bytes JMP 0000000077980128 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778216b0 5 bytes JMP 0000000077980018 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000775ce7b0 5 bytes JMP 00000000779800a0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fefa3f741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fefa3f5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fefa3f5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fefa3f5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fefa3f7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fefa3f6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fefa3f6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fefa3f7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fefa3f7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fefa3f78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fefa3f4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fefa3f5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3104] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fefa3f7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Library C:\Users\zawada\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2632] (GG drive menu/GG Network S.A.)(2 000000005ff80000 Process C:\Users\zawada\AppData\Local\Temp\Rar$EX37.528\gmer.exe (*** suspicious ***) @ C:\Users\zawada\AppData\Local\Temp\Rar$EX37.528\gmer.exe [1612](2015-08-25 20:19:14) 0000000000400000 ---- EOF - GMER 2.1 ----