GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-11 11:20:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: i6wqnyy6.exe; Driver: C:\Users\LUCAS\AppData\Local\Temp\kgtiapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074be1401 2 bytes JMP 7505b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074be1419 2 bytes JMP 7505b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074be1431 2 bytes JMP 750d8f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074be144a 2 bytes CALL 75034885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074be14dd 2 bytes JMP 750d8832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074be14f5 2 bytes JMP 750d8a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074be150d 2 bytes JMP 750d8728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074be1525 2 bytes JMP 750d8af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074be153d 2 bytes JMP 7504fc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074be1555 2 bytes JMP 750568df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074be156d 2 bytes JMP 750d8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074be1585 2 bytes JMP 750d8b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074be159d 2 bytes JMP 750d86ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074be15b5 2 bytes JMP 7504fd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074be15cd 2 bytes JMP 7505b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074be16b2 2 bytes JMP 750d8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074be16bd 2 bytes JMP 750d8681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000724b17fa 2 bytes CALL 750311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000724b1860 2 bytes CALL 750311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000724b1942 2 bytes JMP 75987089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000724b194d 2 bytes JMP 7598cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074be1401 2 bytes JMP 7505b20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074be1419 2 bytes JMP 7505b336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074be1431 2 bytes JMP 750d8f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074be144a 2 bytes CALL 75034885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074be14dd 2 bytes JMP 750d8832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074be14f5 2 bytes JMP 750d8a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074be150d 2 bytes JMP 750d8728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074be1525 2 bytes JMP 750d8af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074be153d 2 bytes JMP 7504fc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074be1555 2 bytes JMP 750568df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074be156d 2 bytes JMP 750d8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074be1585 2 bytes JMP 750d8b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074be159d 2 bytes JMP 750d86ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074be15b5 2 bytes JMP 7504fd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074be15cd 2 bytes JMP 7505b2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074be16b2 2 bytes JMP 750d8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074be16bd 2 bytes JMP 750d8681 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074be1401 2 bytes JMP 7505b20b C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074be1419 2 bytes JMP 7505b336 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074be1431 2 bytes JMP 750d8f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074be144a 2 bytes CALL 75034885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074be14dd 2 bytes JMP 750d8832 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074be14f5 2 bytes JMP 750d8a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074be150d 2 bytes JMP 750d8728 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074be1525 2 bytes JMP 750d8af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074be153d 2 bytes JMP 7504fc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074be1555 2 bytes JMP 750568df C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074be156d 2 bytes JMP 750d8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074be1585 2 bytes JMP 750d8b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074be159d 2 bytes JMP 750d86ec C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074be15b5 2 bytes JMP 7504fd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074be15cd 2 bytes JMP 7505b2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074be16b2 2 bytes JMP 750d8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074be16bd 2 bytes JMP 750d8681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074be1401 2 bytes JMP 7505b20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074be1419 2 bytes JMP 7505b336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074be1431 2 bytes JMP 750d8f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074be144a 2 bytes CALL 75034885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074be14dd 2 bytes JMP 750d8832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074be14f5 2 bytes JMP 750d8a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074be150d 2 bytes JMP 750d8728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074be1525 2 bytes JMP 750d8af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074be153d 2 bytes JMP 7504fc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074be1555 2 bytes JMP 750568df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074be156d 2 bytes JMP 750d8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074be1585 2 bytes JMP 750d8b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074be159d 2 bytes JMP 750d86ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074be15b5 2 bytes JMP 7504fd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074be15cd 2 bytes JMP 7505b2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074be16b2 2 bytes JMP 750d8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074be16bd 2 bytes JMP 750d8681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074be1401 2 bytes JMP 7505b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074be1419 2 bytes JMP 7505b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074be1431 2 bytes JMP 750d8f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074be144a 2 bytes CALL 75034885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074be14dd 2 bytes JMP 750d8832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074be14f5 2 bytes JMP 750d8a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074be150d 2 bytes JMP 750d8728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074be1525 2 bytes JMP 750d8af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074be153d 2 bytes JMP 7504fc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074be1555 2 bytes JMP 750568df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074be156d 2 bytes JMP 750d8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074be1585 2 bytes JMP 750d8b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074be159d 2 bytes JMP 750d86ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074be15b5 2 bytes JMP 7504fd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074be15cd 2 bytes JMP 7505b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074be16b2 2 bytes JMP 750d8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074be16bd 2 bytes JMP 750d8681 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef3fa741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef3fa5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef3fa5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef3fa5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef3fa7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef3fa6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef3fa6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef3fa7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef3fa7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef3fa78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef3fa4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef3fa5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef3fa7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\Explorer.EXE [3116:3912] 0000000002a39400 Thread C:\Windows\Explorer.EXE [3116:3928] 0000000002a39400 Thread C:\Windows\Explorer.EXE [3116:3932] 0000000002a39400 Thread C:\Windows\Explorer.EXE [3116:3936] 0000000002a39400 Thread C:\Windows\Explorer.EXE [3116:3940] 0000000002a39400 Thread C:\Windows\Explorer.EXE [3116:3944] 0000000002a39400 Thread C:\Windows\Explorer.EXE [3116:3988] 0000000002a39400 Thread C:\Windows\Explorer.EXE [3116:5088] 0000000002a39400 Thread C:\Windows\system32\taskhost.exe [3600:2100] 0000000001fd8200 ---- Processes - GMER 2.1 ---- Process C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe (*** suspicious ***) @ C:\Users\LUCAS\AppData\Roaming\evdyx-a.exe [2748](2015-11-10 01:19:09) 0000000000400000 Process \\?\C:\Windows\system32\wbem\WMIADAP.EXE (*** suspicious ***) @ \\?\C:\Windows\system32\wbem\WMIADAP.EXE [1364] (WMI Reverse Performance Adapter Maintenance Utility/Microsoft Corporation)(2009-07-13 23:47:22) 00000000ff860000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395f9fb22 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395f9fb22 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----