GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-05 21:45:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 465,76GB Running: ezl986lp.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\ufldypod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800031f2000 92 bytes [88, BC, 24, E0, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 637 fffff800031f205d 52 bytes [0F, BA, 65, 68, 10, 0F, 82, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1948] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000772487b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076121465 2 bytes [12, 76] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000761214bb 2 bytes [12, 76] .text ... * 2 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000077251429 7 bytes JMP 00000001741b12ad .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 000000007726b223 5 bytes JMP 00000001741b15be .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000772e88f4 7 bytes JMP 00000001741b1357 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000772e8979 5 bytes JMP 00000001741b16e0 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000772e8ccf 5 bytes JMP 00000001741b1028 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076081d1b 5 bytes JMP 00000001741b11ef .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076081dc9 5 bytes JMP 00000001741b1023 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076082aa4 5 bytes JMP 00000001741b156e .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076082d0a 5 bytes JMP 00000001741b1294 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075d58a29 5 bytes JMP 00000001741b1050 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\USER32.dll!SetFocus 0000000075d62175 5 bytes JMP 0000000169fa14e0 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075d64572 5 bytes JMP 00000001741b10d2 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\USER32.dll!FlashWindow 0000000075d6bfd7 5 bytes JMP 0000000169fa1450 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\USER32.dll!FlashWindowEx 0000000075d6c016 5 bytes JMP 0000000169fa14a0 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076e95ea5 5 bytes JMP 00000001741b1609 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ec9d0b 5 bytes JMP 00000001741b1249 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076121465 2 bytes [12, 76] .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761214bb 2 bytes [12, 76] .text ... * 2 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077251429 7 bytes JMP 00000001741b12ad .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007726b223 5 bytes JMP 00000001741b15be .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000772e88f4 7 bytes JMP 00000001741b1357 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000772e8979 5 bytes JMP 00000001741b16e0 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000772e8ccf 5 bytes JMP 00000001741b1028 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076081d1b 5 bytes JMP 00000001741b11ef .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076081dc9 5 bytes JMP 00000001741b1023 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076082aa4 5 bytes JMP 00000001741b156e .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076082d0a 5 bytes JMP 00000001741b1294 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075d58a29 5 bytes JMP 00000001741b1050 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\USER32.dll!SetFocus 0000000075d62175 5 bytes JMP 0000000169fa14e0 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075d64572 5 bytes JMP 00000001741b10d2 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\USER32.dll!FlashWindow 0000000075d6bfd7 5 bytes JMP 0000000169fa1450 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\USER32.dll!FlashWindowEx 0000000075d6c016 5 bytes JMP 0000000169fa14a0 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076e95ea5 5 bytes JMP 00000001741b1609 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ec9d0b 5 bytes JMP 00000001741b1249 .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076121465 2 bytes [12, 76] .text D:\XWindows Dock\XWD.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761214bb 2 bytes [12, 76] .text ... * 2 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077251429 7 bytes JMP 00000001741b12ad .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007726b223 5 bytes JMP 00000001741b15be .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000772e88f4 7 bytes JMP 00000001741b1357 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000772e8979 5 bytes JMP 00000001741b16e0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000772e8ccf 5 bytes JMP 00000001741b1028 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076081d1b 5 bytes JMP 00000001741b11ef .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076081dc9 5 bytes JMP 00000001741b1023 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076082aa4 5 bytes JMP 00000001741b156e .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076082d0a 5 bytes JMP 00000001741b1294 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075d58a29 5 bytes JMP 00000001741b1050 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\USER32.dll!SetFocus 0000000075d62175 5 bytes JMP 0000000169fa14e0 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075d64572 5 bytes JMP 00000001741b10d2 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\USER32.dll!FlashWindow 0000000075d6bfd7 5 bytes JMP 0000000169fa1450 .text C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe[3400] C:\Windows\syswow64\USER32.dll!FlashWindowEx 0000000075d6c016 5 bytes JMP 0000000169fa14a0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3464] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3464] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076121465 2 bytes [12, 76] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[3464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761214bb 2 bytes [12, 76] .text ... * 2 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077251429 7 bytes JMP 00000001741b12ad .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007726b223 5 bytes JMP 00000001741b15be .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000772e88f4 7 bytes JMP 00000001741b1357 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000772e8979 5 bytes JMP 00000001741b16e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000772e8ccf 5 bytes JMP 00000001741b1028 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076081d1b 5 bytes JMP 00000001741b11ef .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076081dc9 5 bytes JMP 00000001741b1023 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076082aa4 5 bytes JMP 00000001741b156e .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076082d0a 5 bytes JMP 00000001741b1294 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075d58a29 5 bytes JMP 00000001741b1050 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075d64572 5 bytes JMP 00000001741b10d2 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076121465 2 bytes [12, 76] .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761214bb 2 bytes [12, 76] .text ... * 2 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[4056] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe[4056] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076121465 2 bytes [12, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761214bb 2 bytes [12, 76] .text ... * 2 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[3220] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe[3220] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe[4168] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe[4168] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[3332] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075d58a29 5 bytes JMP 00000001741b1050 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[3332] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075d64572 5 bytes JMP 00000001741b10d2 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[3332] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[3332] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077251429 7 bytes JMP 00000001741b12ad .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007726b223 5 bytes JMP 00000001741b15be .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000772e88f4 7 bytes JMP 00000001741b1357 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000772e8979 5 bytes JMP 00000001741b16e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000772e8ccf 5 bytes JMP 00000001741b1028 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076081d1b 5 bytes JMP 00000001741b11ef .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076081dc9 5 bytes JMP 00000001741b1023 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076082aa4 5 bytes JMP 00000001741b156e .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076082d0a 5 bytes JMP 00000001741b1294 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075d58a29 5 bytes JMP 00000001741b1050 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\USER32.dll!SetFocus 0000000075d62175 5 bytes JMP 0000000169fa14e0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075d64572 5 bytes JMP 00000001741b10d2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\USER32.dll!FlashWindow 0000000075d6bfd7 5 bytes JMP 0000000169fa1450 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\USER32.dll!FlashWindowEx 0000000075d6c016 5 bytes JMP 0000000169fa14a0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076e95ea5 5 bytes JMP 00000001741b1609 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ec9d0b 5 bytes JMP 00000001741b1249 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076121465 2 bytes [12, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[8652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000761214bb 2 bytes [12, 76] .text ... * 2 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077251429 7 bytes JMP 00000001741b12ad .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007726b223 5 bytes JMP 00000001741b15be .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000772e88f4 7 bytes JMP 00000001741b1357 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000772e8979 5 bytes JMP 00000001741b16e0 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000772e8ccf 5 bytes JMP 00000001741b1028 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076081d1b 5 bytes JMP 00000001741b11ef .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076081dc9 5 bytes JMP 00000001741b1023 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076082aa4 5 bytes JMP 00000001741b156e .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076082d0a 5 bytes JMP 00000001741b1294 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007615e9a2 5 bytes JMP 00000001741b15d7 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007615ebdc 5 bytes JMP 00000001741b11b8 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075d58a29 5 bytes JMP 00000001741b1050 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075d64572 5 bytes JMP 00000001741b10d2 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076e95ea5 5 bytes JMP 00000001741b1609 .text C:\Users\Micha許Desktop\ezl986lp.exe[4744] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076ec9d0b 5 bytes JMP 00000001741b1249 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[548] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [55580002820] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[548] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [55580002700] c:\windows\system32\uxtuneup.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1136:3604] 000007feefe93f1c Thread C:\Windows\system32\svchost.exe [1136:3608] 000007fef5591a38 Thread C:\Windows\system32\svchost.exe [1136:3612] 000007fef50e5388 Thread C:\Windows\system32\svchost.exe [1136:3616] 000007feefe57738 Thread C:\Windows\system32\svchost.exe [1136:3644] 000007feefe41f90 Thread C:\Windows\system32\svchost.exe [1136:3696] 000007fef8da5170 Thread C:\Windows\Explorer.EXE [1920:2656] 0000000004231de4 Thread C:\Windows\Explorer.EXE [1920:4872] 00000000045017e8 Thread C:\Windows\Explorer.EXE [1920:4876] 0000000004512804 Thread C:\Windows\Explorer.EXE [1920:4880] 0000000004512fe8 Thread C:\Windows\Explorer.EXE [1920:4884] 0000000004512fe8 Thread C:\Windows\Explorer.EXE [1920:4888] 0000000004512fe8 Thread C:\Windows\Explorer.EXE [1920:4892] 0000000004512fe8 Thread C:\Windows\Explorer.EXE [1920:4896] 0000000004521390 Thread C:\Windows\Explorer.EXE [1920:4900] 0000000004521238 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde993644 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df1fedf8 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 10848 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde993644 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df1fedf8 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----