GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-11 14:04:29 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD502IJ rev.1AA01113 465,76GB Running: m167z80x.exe; Driver: C:\Users\PostraCH\AppData\Local\Temp\kwlcyfow.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.2 ---- .text C:\Windows\Explorer.EXE[1476] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076d4b5e1 7 bytes [B8, 70, C0, 65, F4, FE, 07] .text C:\Windows\Explorer.EXE[1476] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000076d4b5ea 11 bytes {JMP RAX} .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 74aeeb26 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 74afb513 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 74b78609 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 74ad1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 74b77efe C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 74b780d8 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 74b77df4 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 74b781c2 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 74aef088 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 74afb885 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 74b786c1 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 74b78222 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 74b77db8 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 74aef121 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 74afb29f C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 74b78584 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamscheduler.exe[2392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 74b77d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 74aeeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 74afb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 74b78609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 74ad1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 74b77efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 74b780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 74b77df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 74b781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 74aef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 74afb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 74b786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 74b78222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 74b77db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 74aef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 74afb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 74b78584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 74b77d4d C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 74aeeb26 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 74afb513 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 74b78609 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 74ad1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 74b77efe C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 74b780d8 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 74b77df4 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 74b781c2 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 74aef088 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 74afb885 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 74b786c1 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 74b78222 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 74b77db8 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 74aef121 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 74afb29f C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 74b78584 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbamservice.exe[764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 74b77d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 74aeeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 74afb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 74b78609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 74ad1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 74b77efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 74b780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 74b77df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 74b781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 74aef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 74afb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 74b786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 74b78222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 74b77db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 74aef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 74afb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 74b78584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 74b77d4d C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 74aeeb26 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 74afb513 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 74b78609 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 74ad1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 74b77efe C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 74b780d8 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 74b77df4 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 74b781c2 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 74aef088 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 74afb885 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 74b786c1 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 74b78222 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 74b77db8 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 74aef121 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 74afb29f C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 74b78584 C:\Windows\syswow64\kernel32.dll .text D:\Malwarebytes Anti-Malware\mbam.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 74b77d4d C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [3408] entry point in ".rdata" section 0000000073c071e6 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075291bb2 5 bytes JMP 000000005b90b9fb .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075291d92 5 bytes JMP 000000005b90ba65 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 74aeeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 74afb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 74b78609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 74ad1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 74b77efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 74b780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 74b77df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 74b781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 74aef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 74afb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 74b786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 74b78222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 74b77db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 74aef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 74afb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 74b78584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 74b77d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\HCDNClientNet.dll (*** suspicious ***) @ C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\QyKernel.exe [2576] 00000000000e0000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????????????????????????????????????????????????????a???????e????????????????????????????????????????????????e???(????????e??????????????N??????r????DppD??????????????t???????????????p???? ???????~??????????6-21-2006???????????????????\??\C:\Program Files (x86)\Wifisrv\160WifiNetPro64.sys???n??v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=policyagent|Name=@FirewallAPI.dll,-30003|Desc=@FirewallAPI.dll,-30006|EmbedCtxt=@FirewallAPI.dll,-30002|???? ?????????????????????4????????0??? ??????k_C??? ???????,???????????????????????????????????i??? ??????????????????????????????N???????1.??{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? ???????????????????????????????m??????s????S?0??A?t???X?h??????D???????????????????????????????????? ?????????????system32\DRIVERS\vwifimp.sys????{8ECC055D-047F-11D1-A537-0000F8753ED1}?1?1???k???????????????????????|??????????? ???????j?????????????,?????????????????O??? ??????????????????????????????????????s?????? ---- EOF - GMER 2.2 ----