GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-23 14:04:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JEDO 596,17GB Running: m1prlrk4.exe; Driver: C:\Users\HP\AppData\Local\Temp\uxldapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 .text C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe[3056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe[3056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000738f11a8 2 bytes [8F, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000738f13a8 2 bytes [8F, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000738f1422 2 bytes [8F, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3956] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000738f1498 2 bytes [8F, 73] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076551465 2 bytes [55, 76] .text C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765514bb 2 bytes [55, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!memset] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??2@YAPEAX_K@Z] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!wcscpy_s] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_purecall] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??_V@YAXPEAX@Z] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!malloc] [537397db00000000] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!free] [200000000] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [68fc00000022] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!wcsncpy_s] [5cfc] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!__CxxFrameHandler3] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_unlock] [80818086808006] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!__dllonexit] [8082868086031000] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_lock] [8585454545050514] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_onexit] [5080303000000585] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!realloc] [3827280008008080] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_errno] [3037000700805750] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [2000000088505030] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!memcpy_s] [8080888028] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??3@YAXPEAX@Z] [808686868606060] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_CxxThrowException] [870707770707807] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!QueryPerformanceCounter] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!UnhandledExceptionFilter] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!DisableThreadLibraryCalls] [0] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemFree] [8] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!StringFromGUID2] [5365734573755349] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemRealloc] [6e6f69737365] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoCreateInstance] [6174614473755349] IAT C:\Windows\system32\svchost.exe[1064] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemAlloc] [65726f7473] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!malloc] [28c4834800000001] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_vsnwprintf] [ccccccccccccccc3] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_XcptFilter] [ccccffffc09225ff] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!wcsrchr] [83485540cccccccc] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_wcsnicmp] [8d8948ea8b4820ec] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!wcschr] [8b018b4800000100] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!memset] [48000000a8958910] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_amsg_exit] [6d73633d50458b50] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!free] [f8958b481475e0] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!wcsstr] [f95ce8504d8b0000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_initterm] [c707eb304589ffff] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[msvcrt.dll!memcpy] [458b000000003045] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlCaptureContext] [cccccccccccccccc] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlLookupFunctionEntry] [83485540cccccccc] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlVirtualUnwind] [8d8948ea8b4820ec] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtOpenFile] [8b018b4800000110] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlInitUnicodeString] [4800000098958910] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtClose] [5589000000d08d89] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtCreateFile] [6d73633d70458b70] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlAppendUnicodeToString] [d0958b481475e0] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtFsControlFile] [f8fce8704d8b0000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtQueryAttributesFile] [c707eb384589ffff] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\drprov.dll[WINSTA.dll!WinStationIsSessionRemoteable] [5589000000908d89] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!_wcsnicmp] [65657266043a0000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!wcsrchr] [555f3f3f00220000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!iswctype] [5f58414550415940] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!_vsnwprintf] [626d047b005a404b] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!tolower] [7363776f7473] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!wcsstr] [7970636d656d0481] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!wcstok] [656d04830000735f] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!_XcptFilter] [735f65766f6d6d] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!malloc] [415940323f3f0013] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!_initterm] [5a404b5f58414550] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!free] [6c6c616304130000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!_amsg_exit] [616d04740000636f] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!memset] [697270776e73765f] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!wcschr] [637704fe0066746e] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[msvcrt.dll!memcpy] [4fb007268637273] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!RtlCaptureContext] [6373637704f30073] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!RtlLookupFunctionEntry] [4ee0000735f7970] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!RtlVirtualUnwind] [735f746163736377] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwEventWrite] [7275705f028d0000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!RtlNtStatusToDosErrorNoTeb] [484006c6c616365] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwEventUnregister] [7465736d656d] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwTraceMessage] [70735f435f5f0053] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!RtlNtStatusToDosError] [685f636966696365] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwEventRegister] [72656c646e61] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwGetTraceLoggerHandle] [46747063585f0052] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwUnregisterTraceGuids] [16c007265746c69] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwRegisterTraceGuidsW] [72657474696e695f] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwGetTraceEnableFlags] [736d615f00a0006d] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[ntdll.dll!EtwGetTraceEnableLevel] [746978655f67] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[DAVHLPR.dll!DavCheckAndConvertHttpUrlToUncName] [9c006567617373] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[DAVHLPR.dll!DavGetServerPortAndPhysicalName] [6f646e6957666544] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[DAVHLPR.dll!DavGetHTTPFromUNCPath] [57636f725077] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!DelayLoadFailureHook] [6e55030d00577478] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!GetModuleHandleW] [7265747369676572] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!CloseHandle] [417373616c43] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!WaitForSingleObject] [642e323352455355] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!IdnToAscii] [725402f600006c6c] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!FreeLibraryAndExitThread] [617373654d656361] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!CreateThread] [646e614872656767] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!SetEvent] [6547015c0000656c] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!QueryDosDeviceW] [6e45656361725474] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\davclnt.dll[KERNEL32.dll!LoadLibraryW] [6576654c656c6261] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!memset] [3b4908c68348d1ff] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!memcpy] [ef850fc33be572f6] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_amsg_exit] [41070d8d480000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!free] [5c70000037ae800] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_initterm] [200004f40] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!malloc] [48c38b480a75eb3b] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_XcptFilter] [394800004f220587] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!iswdigit] [ea850f000056eb1d] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!toupper] [4f1b3d01000011] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_vsnwprintf] [58b00000083e900] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_wcsnicmp] [8e0fc33b00004f10] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!wcschr] [2b017b8d0000119e] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlCaptureContext] [3db10f48f0c03300] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlLookupFunctionEntry] [114d850f00004ee4] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwTraceMessage] [4ee8058b0000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventWrite] [114f850f02f883] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventUnregister] [4ef82d8b4800] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtClose] [358b482d74eb3b48] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlNtStatusToDosError] [f8c6834800004ee4] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtCreateFile] [3c830ff53b4800eb] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventRegister] [15ffcd8b48000011] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtFsControlFile] [c51d894800003eec] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlInitUnicodeString] [4ec61d894800004e] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlVirtualUnwind] [4ea01d890000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!UnhandledExceptionFilter] [9090909090909090] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetProcAddress] [9090909090909090] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!FreeLibrary] [6c894808245c8948] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!SetLastError] [5541544157561024] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalFree] [db3320ec83485641] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalAlloc] [d33be98b4ce08b4d] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetLastError] [1bf000000c0840f] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!Sleep] [36850fd73b000000] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!DisableThreadLibraryCalls] [25048b4865000001] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!DelayLoadFailureHook] [8b48eb8b00000030] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!QueryPerformanceCounter] [48f0c03300eb0870] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetTickCount] [f00004fa135b10f] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentThreadId] [8b00eb0000124485] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcessId] [fc33b00004fa305] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [358d480000125185] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!TerminateProcess] [65358d4c0000415c] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcess] [4f873d89000041] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [2373f63b49c38b00] IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LoadLibraryExA] [120a850fc33b] ---- Files - GMER 2.2 ---- File C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-a228dcbf.exe (size mismatch) 4390912/0 bytes executable File C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5821318a.exe (size mismatch) 278528/0 bytes executable ---- EOF - GMER 2.2 ----