GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-07 11:06:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.D005 465,76GB Running: 8y7p8iri.exe; Driver: C:\Users\tomek\AppData\Local\Temp\fwldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075b21401 2 bytes JMP 758ab21b C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075b21419 2 bytes JMP 758ab346 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075b21431 2 bytes JMP 75928f29 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075b2144a 2 bytes CALL 7588489d C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075b214dd 2 bytes JMP 75928822 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075b214f5 2 bytes JMP 759289f8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075b2150d 2 bytes JMP 75928718 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075b21525 2 bytes JMP 75928ae2 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075b2153d 2 bytes JMP 7589fca8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075b21555 2 bytes JMP 758a68ef C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075b2156d 2 bytes JMP 75928fe3 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075b21585 2 bytes JMP 75928b42 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075b2159d 2 bytes JMP 759286dc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075b215b5 2 bytes JMP 7589fd41 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075b215cd 2 bytes JMP 758ab2dc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075b216b2 2 bytes JMP 75928ea4 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[1568] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075b216bd 2 bytes JMP 75928671 C:\windows\syswow64\KERNEL32.dll .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd832db0 5 bytes JMP 000007fffd820180 .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd8337d0 7 bytes JMP 000007fffd8200d8 .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd83a410 2 bytes JMP 000007fffd820110 .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd83a413 2 bytes [FE, FF] .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd83aec0 6 bytes JMP 000007fffd820148 .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1489d0 8 bytes JMP 000007fffd8201f0 .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe14be40 8 bytes JMP 000007fffd8201b8 .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\dxgi.dll!CreateDXGIFactory 000007fef93cdc88 5 bytes JMP 000007fff91c00d8 .text C:\windows\system32\Dwm.exe[1724] C:\windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef93cde10 5 bytes JMP 000007fff91c0110 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\kernel32.dll!RegSetValueExW 000000007776a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000077773f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\kernel32.dll!RegDeleteValueW 000000007778ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007779f350 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000777c9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000777d9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000777f8850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd832db0 5 bytes JMP 000007fffd820180 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd8337d0 7 bytes JMP 000007fffd8200d8 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd83a410 2 bytes JMP 000007fffd820110 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd83a413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd83aec0 6 bytes JMP 000007fffd820148 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1489d0 8 bytes JMP 000007fffd8201f0 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe14be40 8 bytes JMP 000007fffd8201b8 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\ole32.dll!CoCreateInstance 000007feff4c74a0 11 bytes JMP 000007fffd820228 .text C:\Program Files\DellTPad\Apoint.exe[2036] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007feff4dbf10 7 bytes JMP 000007fffd820260 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\kernel32.dll!RegSetValueExW 000000007776a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000077773f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\kernel32.dll!RegDeleteValueW 000000007778ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007779f350 5 bytes JMP 000000016fff0110 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000777c9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000777d9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000777f8850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd832db0 5 bytes JMP 000007fffd820180 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd8337d0 7 bytes JMP 000007fffd8200d8 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd83a410 2 bytes JMP 000007fffd820110 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd83a413 2 bytes [FE, FF] .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd83aec0 6 bytes JMP 000007fffd820148 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1489d0 8 bytes JMP 000007fffd8201f0 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe14be40 8 bytes JMP 000007fffd8201b8 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\ole32.dll!CoCreateInstance 000007feff4c74a0 11 bytes JMP 000007fffd820228 .text C:\Program Files\IDT\WDM\sttray64.exe[2044] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007feff4dbf10 7 bytes JMP 000007fffd820260 .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\SysWOW64\WSOCK32.dll!recv + 82 0000000074ec17fa 2 bytes CALL 758811a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074ec1860 2 bytes CALL 758811a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074ec1942 2 bytes JMP 77627089 C:\windows\syswow64\WS2_32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000074ec194d 2 bytes JMP 7762cba6 C:\windows\syswow64\WS2_32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075b21401 2 bytes JMP 758ab21b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075b21419 2 bytes JMP 758ab346 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075b21431 2 bytes JMP 75928f29 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075b2144a 2 bytes CALL 7588489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075b214dd 2 bytes JMP 75928822 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075b214f5 2 bytes JMP 759289f8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075b2150d 2 bytes JMP 75928718 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075b21525 2 bytes JMP 75928ae2 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075b2153d 2 bytes JMP 7589fca8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075b21555 2 bytes JMP 758a68ef C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075b2156d 2 bytes JMP 75928fe3 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075b21585 2 bytes JMP 75928b42 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075b2159d 2 bytes JMP 759286dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075b215b5 2 bytes JMP 7589fd41 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075b215cd 2 bytes JMP 758ab2dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075b216b2 2 bytes JMP 75928ea4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2752] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075b216bd 2 bytes JMP 75928671 C:\windows\syswow64\kernel32.dll .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\kernel32.dll!RegSetValueExW 000000007776a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000077773f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\kernel32.dll!RegDeleteValueW 000000007778ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007779f350 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000777c9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000777d9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000777f8850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd832db0 5 bytes JMP 000007fffd820180 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd8337d0 7 bytes JMP 000007fffd8200d8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd83a410 2 bytes JMP 000007fffd820110 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd83a413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd83aec0 6 bytes JMP 000007fffd820148 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1489d0 8 bytes JMP 000007fffd8201f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[4248] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe14be40 8 bytes JMP 000007fffd8201b8 .text C:\Program Files\DellTPad\HidFind.exe[4308] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd832db0 5 bytes JMP 000007fffd820180 .text C:\Program Files\DellTPad\HidFind.exe[4308] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd8337d0 7 bytes JMP 000007fffd8200d8 .text C:\Program Files\DellTPad\HidFind.exe[4308] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd83a410 2 bytes JMP 000007fffd820110 .text C:\Program Files\DellTPad\HidFind.exe[4308] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd83a413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\HidFind.exe[4308] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd83aec0 6 bytes JMP 000007fffd820148 .text C:\Program Files\DellTPad\HidFind.exe[4308] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1489d0 8 bytes JMP 000007fffd8201f0 .text C:\Program Files\DellTPad\HidFind.exe[4308] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe14be40 8 bytes JMP 000007fffd8201b8 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\kernel32.dll!RegSetValueExW 000000007776a3e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000077773f00 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\kernel32.dll!RegDeleteValueW 000000007778ffd0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007779f350 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000777c9aa0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\kernel32.dll!K32GetModuleInformation 00000000777d9530 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\kernel32.dll!RegSetValueExA 00000000777f8850 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd832db0 5 bytes JMP 000007fffd820180 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd8337d0 7 bytes JMP 000007fffd8200d8 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd83a410 2 bytes JMP 000007fffd820110 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd83a413 2 bytes [FE, FF] .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd83aec0 6 bytes JMP 000007fffd820148 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe1489d0 8 bytes JMP 000007fffd8201f0 .text C:\Program Files\DellTPad\Apntex.exe[4316] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe14be40 8 bytes JMP 000007fffd8201b8 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075881efe 7 bytes JMP 0000000172fe3550 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\kernel32.dll!RegSetValueExW 0000000075885b9d 7 bytes JMP 0000000172fe37f0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000758913f9 7 bytes JMP 0000000172fe3650 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 000000007589ea45 7 bytes JMP 0000000172fe3540 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075928ea4 7 bytes JMP 0000000172fe3310 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075928f29 5 bytes JMP 0000000172fe33c0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075929281 5 bytes JMP 0000000172fe3320 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075831d29 5 bytes JMP 0000000172fe32b0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075831dd7 5 bytes JMP 0000000172fe3270 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075832ab1 5 bytes JMP 0000000172fe33d0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075832d1d 5 bytes JMP 0000000172fe30b0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075cad2b4 5 bytes JMP 0000000172fe2cd0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075cad4ee 5 bytes JMP 0000000172fe2ce0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000077678a29 5 bytes JMP 0000000172fe2c60 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000077684572 5 bytes JMP 0000000172fe3030 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007769e567 5 bytes JMP 0000000172fe30a0 .text C:\Users\tomek\Desktop\Pobrane z Chrome'a\8y7p8iri.exe[4376] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000776d7a5c 5 bytes JMP 0000000172fe3020 ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\svchost.exe [332:3452] 000007fef13f4f84 Thread C:\windows\system32\svchost.exe [332:3460] 000007fef0ffd3c8 Thread C:\windows\system32\svchost.exe [332:4552] 000007fef0ffd3c8 Thread C:\windows\system32\svchost.exe [332:3348] 000007fef0ffd3c8 Thread C:\windows\system32\svchost.exe [332:4932] 000007fef0ffd3c8 Thread C:\windows\System32\svchost.exe [3020:4240] 000007fef0de9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [744:440] 000007fefb942bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [744:4304] 000007feebba5648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [744:4960] 000007fefa1c5124 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1808] (GG drive overlay/GG Network S.A.)(2015-02-23 16:45:51) 000000005c080000 Process C:\Users\tomek\AppData\Roaming\pwo6\svchost.exe (*** suspicious ***) @ C:\Users\tomek\AppData\Roaming\pwo6\svchost.exe [1972](2016-01-0 0000000000400000 Library C:\Users\tomek\AppData\Local\Temp\_MEI5082\python27.dll (*** suspicious ***) @ C:\Users\tomek\AppData\Roaming\pwo6\svchost.exe [1972] (Python Core/Python Software Foundation)(2016-01-07 09:19:13) 000000001e000000 Library C:\Users\tomek\AppData\Local\Temp\_MEI5082\_hashlib.pyd (*** suspicious ***) @ C:\Users\tomek\AppData\Roaming\pwo6\svchost.exe [1972](2016-01-07 09:19:13) 0000000010000000 Library C:\Users\tomek\AppData\Local\Temp\_MEI5082\win32api.pyd (*** suspicious ***) @ C:\Users\tomek\AppData\Roaming\pwo6\svchost.exe [1972](2016-01-07 09:19:14) 000000001e8c0000 Library C:\Users\tomek\AppData\Local\Temp\_MEI5082\pywintypes27.dll (*** suspicious ***) @ C:\Users\tomek\AppData\Roaming\pwo6\svchost.exe [1972](2016-01-07 09:19:14) 000000001e7a0000 Library C:\Users\tomek\AppData\Local\Temp\_MEI5082\pythoncom27.dll (*** suspicious ***) @ C:\Users\tomek\AppData\Roaming\pwo6\svchost.exe [1972](2016-01-07 09:19:14) 0000000000330000 Process C:\Users\tomek\AppData\Local\Temp\_MEI5082\bin\winlogon.exe (*** suspicious ***) @ C:\Users\tomek\AppData\Local\Temp\_MEI5082\bin\winlogon.exe [3372](2016-01-07 09:19:14) 0000000000400000 Library C:\Users\tomek\AppData\Local\Temp\_MEI5082\bin\LIBEAY32.dll (*** suspicious ***) @ C:\Users\tomek\AppData\Local\Temp\_MEI5082\bin\winlogon.exe [3372] (OpenSSL shared library/The OpenSSL Project, http://www.openssl.org/)(2016-01-07 09:19:14) 0000000063000000 Library C:\Users\tomek\AppData\Local\Temp\_MEI5082\bin\SSLEAY32.dll (*** suspicious ***) @ C:\Users\tomek\AppData\Local\Temp\_MEI5082\bin\winlogon.exe [3372] (OpenSSL shared library/The OpenSSL Project, http://www.openssl.org/)(2016-01-07 09:19:14) 000000006e400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015007f6c3b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc7737048afc Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e4d53d000e54 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc7737048afc (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e4d53d000e54 (not active ControlSet) ---- EOF - GMER 2.1 ----