GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-24 12:02:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: ycbyuell.exe; Driver: C:\Users\dom\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077c91401 2 bytes JMP 7778b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077c91419 2 bytes JMP 7778b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077c91431 2 bytes JMP 77808f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077c9144a 2 bytes CALL 77764885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077c914dd 2 bytes JMP 77808832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077c914f5 2 bytes JMP 77808a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077c9150d 2 bytes JMP 77808728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077c91525 2 bytes JMP 77808af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077c9153d 2 bytes JMP 7777fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077c91555 2 bytes JMP 777868df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077c9156d 2 bytes JMP 77808ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077c91585 2 bytes JMP 77808b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077c9159d 2 bytes JMP 778086ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077c915b5 2 bytes JMP 7777fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077c915cd 2 bytes JMP 7778b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077c916b2 2 bytes JMP 77808eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077c916bd 2 bytes JMP 77808681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077c91401 2 bytes JMP 7778b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077c91419 2 bytes JMP 7778b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077c91431 2 bytes JMP 77808f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077c9144a 2 bytes CALL 77764885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077c914dd 2 bytes JMP 77808832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077c914f5 2 bytes JMP 77808a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077c9150d 2 bytes JMP 77808728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077c91525 2 bytes JMP 77808af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077c9153d 2 bytes JMP 7777fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077c91555 2 bytes JMP 777868df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077c9156d 2 bytes JMP 77808ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077c91585 2 bytes JMP 77808b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077c9159d 2 bytes JMP 778086ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077c915b5 2 bytes JMP 7777fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077c915cd 2 bytes JMP 7778b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077c916b2 2 bytes JMP 77808eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3108] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077c916bd 2 bytes JMP 77808681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077c91401 2 bytes JMP 7778b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077c91419 2 bytes JMP 7778b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077c91431 2 bytes JMP 77808f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077c9144a 2 bytes CALL 77764885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077c914dd 2 bytes JMP 77808832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077c914f5 2 bytes JMP 77808a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077c9150d 2 bytes JMP 77808728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077c91525 2 bytes JMP 77808af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077c9153d 2 bytes JMP 7777fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077c91555 2 bytes JMP 777868df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077c9156d 2 bytes JMP 77808ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077c91585 2 bytes JMP 77808b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077c9159d 2 bytes JMP 778086ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077c915b5 2 bytes JMP 7777fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077c915cd 2 bytes JMP 7778b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077c916b2 2 bytes JMP 77808eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[3412] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077c916bd 2 bytes JMP 77808681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077c91401 2 bytes JMP 7778b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077c91419 2 bytes JMP 7778b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077c91431 2 bytes JMP 77808f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077c9144a 2 bytes CALL 77764885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077c914dd 2 bytes JMP 77808832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077c914f5 2 bytes JMP 77808a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077c9150d 2 bytes JMP 77808728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077c91525 2 bytes JMP 77808af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077c9153d 2 bytes JMP 7777fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077c91555 2 bytes JMP 777868df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077c9156d 2 bytes JMP 77808ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077c91585 2 bytes JMP 77808b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077c9159d 2 bytes JMP 778086ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077c915b5 2 bytes JMP 7777fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077c915cd 2 bytes JMP 7778b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077c916b2 2 bytes JMP 77808eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077c916bd 2 bytes JMP 77808681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077c91401 2 bytes JMP 7778b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077c91419 2 bytes JMP 7778b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077c91431 2 bytes JMP 77808f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077c9144a 2 bytes CALL 77764885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077c914dd 2 bytes JMP 77808832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077c914f5 2 bytes JMP 77808a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077c9150d 2 bytes JMP 77808728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077c91525 2 bytes JMP 77808af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077c9153d 2 bytes JMP 7777fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077c91555 2 bytes JMP 777868df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077c9156d 2 bytes JMP 77808ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077c91585 2 bytes JMP 77808b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077c9159d 2 bytes JMP 778086ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077c915b5 2 bytes JMP 7777fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077c915cd 2 bytes JMP 7778b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077c916b2 2 bytes JMP 77808eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077c916bd 2 bytes JMP 77808681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006f3e11a8 2 bytes [3E, 6F] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000006f3e127d 2 bytes CALL 777614b9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 000000006f3e1310 2 bytes CALL 777614b9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006f3e13a8 2 bytes [3E, 6F] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006f3e1422 2 bytes [3E, 6F] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1924] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006f3e1498 2 bytes [3E, 6F] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077c91401 2 bytes JMP 7778b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077c91419 2 bytes JMP 7778b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077c91431 2 bytes JMP 77808f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077c9144a 2 bytes CALL 77764885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077c914dd 2 bytes JMP 77808832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077c914f5 2 bytes JMP 77808a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077c9150d 2 bytes JMP 77808728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077c91525 2 bytes JMP 77808af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077c9153d 2 bytes JMP 7777fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077c91555 2 bytes JMP 777868df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077c9156d 2 bytes JMP 77808ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077c91585 2 bytes JMP 77808b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077c9159d 2 bytes JMP 778086ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077c915b5 2 bytes JMP 7777fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077c915cd 2 bytes JMP 7778b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077c916b2 2 bytes JMP 77808eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3024] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077c916bd 2 bytes JMP 77808681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077c91401 2 bytes JMP 7778b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077c91419 2 bytes JMP 7778b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077c91431 2 bytes JMP 77808f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077c9144a 2 bytes CALL 77764885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077c914dd 2 bytes JMP 77808832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077c914f5 2 bytes JMP 77808a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077c9150d 2 bytes JMP 77808728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077c91525 2 bytes JMP 77808af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077c9153d 2 bytes JMP 7777fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077c91555 2 bytes JMP 777868df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077c9156d 2 bytes JMP 77808ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077c91585 2 bytes JMP 77808b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077c9159d 2 bytes JMP 778086ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077c915b5 2 bytes JMP 7777fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077c915cd 2 bytes JMP 7778b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077c916b2 2 bytes JMP 77808eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3512] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077c916bd 2 bytes JMP 77808681 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5036:4656] 000007fefbd72ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5036:4448] 000007fef9ba5124 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\airtel mobile broadband\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\airtel mobile broadband\OnlineUpdate\ouc.exe [2280](2014-12-15 12:25:09) 0000000000400000 Library C:\ProgramData\airtel mobile broadband\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\airtel mobile broadband\OnlineUpdate\ouc.exe [2280](2014-12-15 12:25:09) 000000006fbc0000 Library C:\ProgramData\airtel mobile broadband\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\airtel mobile broadband\OnlineUpdate\ouc.exe [2280](2014-12-15 12:25:09) 000000006e940000 Library C:\ProgramData\airtel mobile broadband\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\airtel mobile broadband\OnlineUpdate\ouc.exe [2280](2014-12-15 12:25:09) 000000006a1c0000 Library C:\ProgramData\airtel mobile broadband\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\airtel mobile broadband\OnlineUpdate\ouc.exe [2280](2014-12-15 12:25:09) 000000006ff00000 Process C:\ProgramData\EasySettings\SettingsCmdMonitor.exe (*** suspicious ***) @ C:\ProgramData\EasySettings\SettingsCmdMonitor.exe [5044] (SettingsCmdMonitor/Samsung Electronics CO., LTD.)(2012-09-06 12:45:38) 0000000000260000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c4850804235f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c8f7332bb59b Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c4850804235f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c8f7332bb59b (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----