GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-25 05:17:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD1600BEVT-22ZCT0 rev.11.01A11 149,05GB Running: vxoztj12.exe; Driver: C:\Users\UZYTKO~1\AppData\Local\Temp\kwlcyaob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.1\avp.exe[1528] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007775fab8 5 bytes JMP 0000000073952b10 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.1\avp.exe[1528] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077760048 5 bytes JMP 0000000073952ad0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077191401 2 bytes JMP 76bbb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077191419 2 bytes JMP 76bbb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077191431 2 bytes JMP 76c39149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007719144a 2 bytes CALL 76b94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771914dd 2 bytes JMP 76c38a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771914f5 2 bytes JMP 76c38c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007719150d 2 bytes JMP 76c38938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077191525 2 bytes JMP 76c38d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007719153d 2 bytes JMP 76bafcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077191555 2 bytes JMP 76bb6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007719156d 2 bytes JMP 76c39201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077191585 2 bytes JMP 76c38d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007719159d 2 bytes JMP 76c388fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771915b5 2 bytes JMP 76bafd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771915cd 2 bytes JMP 76bbb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771916b2 2 bytes JMP 76c390c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2788] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771916bd 2 bytes JMP 76c38891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077191401 2 bytes JMP 76bbb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077191419 2 bytes JMP 76bbb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077191431 2 bytes JMP 76c39149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007719144a 2 bytes CALL 76b94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771914dd 2 bytes JMP 76c38a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771914f5 2 bytes JMP 76c38c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007719150d 2 bytes JMP 76c38938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077191525 2 bytes JMP 76c38d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007719153d 2 bytes JMP 76bafcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077191555 2 bytes JMP 76bb6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007719156d 2 bytes JMP 76c39201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077191585 2 bytes JMP 76c38d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007719159d 2 bytes JMP 76c388fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771915b5 2 bytes JMP 76bafd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771915cd 2 bytes JMP 76bbb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771916b2 2 bytes JMP 76c390c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771916bd 2 bytes JMP 76c38891 C:\Windows\syswow64\kernel32.dll .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000077561234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000775612df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077561434 8 bytes [A0, 7B, E8, 7E, 00, 00, 00, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 127 00000000775617bf 7 bytes [7B, E8, 7E, 00, 00, 00, 00] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 644 00000000775619c4 8 bytes [80, 7B, E8, 7E, 00, 00, 00, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077561aa4 8 bytes {JO 0x7d; CALL 0x85} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077561c25 8 bytes [60, 7B, E8, 7E, 00, 00, 00, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077561d8f 8 bytes [50, 7B, E8, 7E, 00, 00, 00, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077561e75 8 bytes [40, 7B, E8, 7E, 00, 00, 00, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 00000000775620d8 8 bytes [30, 7B, E8, 7E, 00, 00, 00, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000775abc00 8 bytes {JMP QWORD [RIP-0x4a162]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000775abd80 8 bytes {JMP QWORD [RIP-0x4a161]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000775abdb0 8 bytes {JMP QWORD [RIP-0x4a982]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000775abf80 8 bytes {JMP QWORD [RIP-0x4a7c8]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 8 bytes {JMP QWORD [RIP-0x4a4de]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 8 bytes {JMP QWORD [RIP-0x4a991]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 8 bytes {JMP QWORD [RIP-0x4b2d7]} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ea13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ea146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ea16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ea19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ea19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Uzytkownik\Downloads\vxoztj12.exe[2252] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ea1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880046e3750] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [77710000] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77710000] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\USER32.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\GDI32.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77710000] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77710000] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77710000] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\System32\CRYPT32.dll[ntdll.dll!NtClose] [77710010] IAT C:\Windows\system32\AUDIODG.EXE[968] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtClose] [77710010] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef919741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef9195f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef9195674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef9195e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef9197f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef9196a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef9196ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef9197b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef9197ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef91978b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef9194fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef9195d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1980] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef9197584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.2 ---- Device \Driver\hitmanpro37 \Device\Hitman Pro 37 fffff88006b92860 ---- Processes - GMER 2.2 ---- Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 00000000718e0000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 00000000718b0000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 0000000071840000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 0000000071800000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 0000000071760000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 0000000071700000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 00000000716d0000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 0000000071620000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 00000000715b0000 Library ? (*** suspicious ***) @ C:\Users\Uzytkownik\AppData\Local\Temp\{2173E9B8-72BD-44E7-9424-1C58D9801440}\{A3FE4247-A234-44FC-8ACA-593DA0D325DA}.exe [2616] 0000000071560000 ---- EOF - GMER 2.2 ----