GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-19 15:39:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk3\DR3 -> \Device\Ide\IdeDeviceP3T1L0-9 OCZ-AGILITY3 rev.2.15 111,79GB Running: m57g1hli.exe; Driver: x:\temp\Temp\uxldipog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001a4100 7 bytes [C0, 92, F3, FF, 01, 9C, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 9 fffff960001a4109 2 bytes [06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskhost.exe[1504] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[1504] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskhost.exe[1504] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[1504] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[1756] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1800] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076328769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1800] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1800] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Windows\Explorer.EXE[1860] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[1860] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[1860] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[1860] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000710f1a22 2 bytes [0F, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000710f1ad0 2 bytes [0F, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000710f1b08 2 bytes [0F, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000710f1bba 2 bytes [0F, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000710f1bda 2 bytes [0F, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2112] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2112] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2112] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[2112] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2140] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2140] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2140] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2140] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2172] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2172] C:\Windows\system32\WS2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2172] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\SmartTechnology\Software\ProfilerU.exe[2172] C:\Windows\system32\WS2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2184] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2184] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2184] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\SmartTechnology\Software\SaiMfd.exe[2184] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2224] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2224] C:\Windows\system32\WS2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2224] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\AQQ\AQQ.exe[2224] C:\Windows\system32\WS2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2384] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2384] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2384] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE[2384] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Wallpaper Changer\WallPaper.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Wallpaper Changer\WallPaper.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[2564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[2564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[2564] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 0000000075b430aa 7 bytes JMP 0000000100e20095 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[2564] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000075b46bd8 7 bytes JMP 0000000100e2002d .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[2564] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000075b47142 7 bytes JMP 0000000100e200c9 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[2564] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 0000000075b4cc3a 7 bytes JMP 0000000100e20061 .text C:\Program Files\PeerBlock\peerblock.exe[2660] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076e49b80 13 bytes {MOV R11, 0x13f72c920; JMP R11} .text C:\Program Files\PeerBlock\peerblock.exe[2660] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\PeerBlock\peerblock.exe[2660] C:\Windows\system32\WS2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\PeerBlock\peerblock.exe[2660] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\PeerBlock\peerblock.exe[2660] C:\Windows\system32\WS2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007714000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000771cf8ea 5 bytes JMP 000000017717d5c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 0000000075b430aa 7 bytes JMP 0000000100b80095 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000075b46bd8 7 bytes JMP 0000000100b8002d .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000075b47142 7 bytes JMP 0000000100b800c9 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 0000000075b4cc3a 7 bytes JMP 0000000100b80061 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files\UltraMon\UltraMon.exe[3008] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\UltraMon\UltraMon.exe[3008] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\UltraMon\UltraMon.exe[3008] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\UltraMon\UltraMon.exe[3008] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Users\tds\AppData\Roaming\minerd\bfgminer.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Users\tds\AppData\Roaming\minerd\bfgminer.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Windows\system32\conhost.exe[3064] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\conhost.exe[3064] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\conhost.exe[3064] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\conhost.exe[3064] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\conhost.exe[2056] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\conhost.exe[2056] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\conhost.exe[2056] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\conhost.exe[2056] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 0000000072d613c6 2 bytes [D6, 72] .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 0000000072d613f6 2 bytes [D6, 72] .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 0000000072d614ad 2 bytes [D6, 72] .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 0000000072d614db 2 bytes [D6, 72] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 0000000072d61577 2 bytes [D6, 72] .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 0000000072d615d7 2 bytes [D6, 72] .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 0000000072d61794 2 bytes [D6, 72] .text C:\Windows\SysWOW64\rundll32.exe[2444] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 0000000072d618c1 2 bytes [D6, 72] .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[2084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[2084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3744] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3744] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3744] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3744] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3928] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd1745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3928] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd179480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3928] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd19e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3928] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd19e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4928] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076932aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076932aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4968] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076932aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076932aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text C:\Users\tds\Desktop\OTL.scr[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text C:\Users\tds\Desktop\OTL.scr[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[1440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077101465 2 bytes [10, 77] .text X:\temp\temp\Temp1_gm.zip\m57g1hli.exe[1440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771014bb 2 bytes [10, 77] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBD 0x81 0xC7 0x48 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x00 0xB2 0xB9 0xB4 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x77 0x50 0x02 0x9F ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x76 0x23 0x58 0x6E ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x03 0xDA 0x41 0xE0 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0xD7 0xC8 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0xC0 0xB6 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xCC 0x46 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF1 0xC3 0x19 0x10 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0xC0 0xB6 0x99 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0xCC 0x46 0xC0 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF1 0xC3 0x19 0x10 ... ---- EOF - GMER 2.1 ----