GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-28 21:46:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP6T0L0-c KINGSTON_SV300S37A120G rev.583ABBF0 111,79GB Running: 75jvdmzj.exe; Driver: C:\Users\NTT\AppData\Local\Temp\uwdirpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[1680] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Updater\Updater.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3248] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!DispatchMessageW 000000007651787b 5 bytes JMP 000000016052acb0 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!DispatchMessageA 0000000076517bbb 5 bytes JMP 000000016052ac80 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076518a29 5 bytes JMP 000000016052b690 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076518e4e 5 bytes JMP 000000016052ae10 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!DestroyWindow 0000000076519a55 5 bytes JMP 000000016052ade0 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007651d22e 5 bytes JMP 000000016052b550 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000765205ba 5 bytes JMP 000000016052afd0 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076520dfb 3 bytes JMP 000000016052ace0 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!ShowWindow + 4 0000000076520dff 1 byte [EA] .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!EndPaint 0000000076521341 3 bytes JMP 000000016052b0b0 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!EndPaint + 4 0000000076521345 1 byte [EA] .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000076521361 3 bytes JMP 000000016052b050 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!BeginPaint + 4 0000000076521365 1 byte [EA] .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 00000000765228da 5 bytes JMP 000000016052b4d0 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!SetCursor 00000000765241f6 3 bytes JMP 000000016052a590 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!SetCursor + 4 00000000765241fa 1 byte [EA] .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076525f74 5 bytes JMP 000000016052af70 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076527b3b 5 bytes JMP 000000016052b030 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!AnimateWindow 000000007652b531 5 bytes JMP 000000016052ae80 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindow 000000007652ba4a 5 bytes JMP 000000016052b400 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!WindowFromPoint 000000007653ed12 5 bytes JMP 000000016052a5b0 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!SetCapture 000000007653ed56 5 bytes JMP 000000016052af50 .text C:\Program Files (x86)\Raptr\raptr.exe[4260] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007653f170 5 bytes JMP 000000016052af10 .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Raptr\raptr_im.exe[4880] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076491401 2 bytes JMP 7591b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076491419 2 bytes JMP 7591b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076491431 2 bytes JMP 75998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007649144a 2 bytes CALL 758f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764914dd 2 bytes JMP 759988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764914f5 2 bytes JMP 75998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007649150d 2 bytes JMP 759987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076491525 2 bytes JMP 75998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007649153d 2 bytes JMP 7590fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076491555 2 bytes JMP 759168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007649156d 2 bytes JMP 75999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076491585 2 bytes JMP 75998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007649159d 2 bytes JMP 7599877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764915b5 2 bytes JMP 7590fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764915cd 2 bytes JMP 7591b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764916b2 2 bytes JMP 75998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GalaxyClient\GalaxyClient Helper.exe[5460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764916bd 2 bytes JMP 75998713 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GOG.com\Galaxy\redists\PocoFoundation.dll (*** suspicious ***) @ C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [4068](2015-05-21 20:20:19) 0000000060c50000 Library C:\ProgramData\GOG.com\Galaxy\redists\pcre.dll (*** suspicious ***) @ C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [4068](2015-05-21 20:20:19) 0000000060be0000 Library C:\ProgramData\GOG.com\Galaxy\redists\zlib.dll (*** suspicious ***) @ C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [4068](2015-05-21 20:20:19) 0000000060bc0000 Library C:\ProgramData\GOG.com\Galaxy\redists\PocoJSON.dll (*** suspicious ***) @ C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [4068](2015-05-21 20:20:19) 0000000060b50000 Library C:\ProgramData\GOG.com\Galaxy\redists\PocoUtil.dll (*** suspicious ***) @ C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [4068](2015-05-21 20:20:19) 0000000060ac0000 Library C:\ProgramData\GOG.com\Galaxy\redists\PocoXML.dll (*** suspicious ***) @ C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [4068](2015-05-21 20:20:19) 0000000060a30000 Library C:\ProgramData\GOG.com\Galaxy\redists\expat.dll (*** suspicious ***) @ C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [4068](2015-05-21 20:20:19) 00000000609d0000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\NTT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GOG.com\WiedŸmin 3\xae - Dziki Gon\Usuñ WiedŸmin 3\xae - Dziki Gon.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com\WiedŸmin 3\xae - Dziki Gon\Usuñ WiedŸmin 3\xae - Dziki Gon.lnk 1 ---- Files - GMER 2.1 ---- File C:\Users\NTT\AppData\Local\Temp\hsperfdata_NTT\276 65536 bytes File C:\FRST 0 bytes File C:\FRST\Hives 0 bytes File C:\FRST\Hives\BCD 24576 bytes File C:\FRST\Hives\DEFAULT 253952 bytes File C:\FRST\Hives\ERDNT.CON 800 bytes File C:\FRST\Hives\ERDNT.EXE 163328 bytes executable File C:\FRST\Hives\ERDNT.INF 832 bytes File C:\FRST\Hives\ERDNTDOS.LOC 2815 bytes File C:\FRST\Hives\ERDNTWIN.LOC 3275 bytes File C:\FRST\Hives\SAM 32768 bytes File C:\FRST\Hives\SECURITY 24576 bytes File C:\FRST\Hives\SOFTWARE 83456000 bytes File C:\FRST\Hives\SYSTEM 22876160 bytes File C:\FRST\Hives\Users 0 bytes File C:\FRST\Hives\Users\00000001 0 bytes File C:\FRST\Hives\Users\00000001\NTUSER.DAT 2269184 bytes File C:\FRST\Hives\Users\00000002 0 bytes File C:\FRST\Hives\Users\00000002\UsrClass.dat 3375104 bytes File C:\FRST\Logs 0 bytes File C:\FRST\Quarantine 0 bytes ---- EOF - GMER 2.1 ----