GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-22 12:48:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MQ01ABD050 rev.AX002J 465,76GB Running: g7b5u3jp.exe; Driver: C:\Users\Maciek\AppData\Local\Temp\ufdyyaod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007760af40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077614a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077632990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007763efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000776699b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000776794d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007769a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd582db0 5 bytes JMP 000007fffd570180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5837d0 7 bytes JMP 000007fffd5700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd588ef0 6 bytes JMP 000007fffd570148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd59af60 5 bytes JMP 000007fffd570110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefedd89e0 8 bytes JMP 000007fffd5701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefeddbe40 8 bytes JMP 000007fffd5701b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefefc7490 11 bytes JMP 000007fffd570228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefefdbf00 7 bytes JMP 000007fffd570260 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd582db0 5 bytes JMP 000007fffd570180 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5837d0 7 bytes JMP 000007fffd5700d8 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd588ef0 6 bytes JMP 000007fffd570148 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd59af60 5 bytes JMP 000007fffd570110 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefedd89e0 8 bytes JMP 000007fffd5701f0 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefeddbe40 8 bytes JMP 000007fffd5701b8 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef945dc88 5 bytes JMP 000007fff92500d8 .text C:\Windows\system32\Dwm.exe[1544] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef945de10 5 bytes JMP 000007fff9250110 .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075641465 2 bytes [64, 75] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756414bb 2 bytes [64, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072641a22 2 bytes [64, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072641ad0 2 bytes [64, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072641b08 2 bytes [64, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072641bba 2 bytes [64, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072641bda 2 bytes [64, 72] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007760af40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077614a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077632990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007763efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000776699b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000776794d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007769a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd582db0 5 bytes JMP 000007fffd560180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5837d0 7 bytes JMP 000007fffd5600d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd588ef0 6 bytes JMP 000007fffd560148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd59af60 5 bytes JMP 000007fffd560110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefedd89e0 8 bytes JMP 000007fffd5601f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefeddbe40 8 bytes JMP 000007fffd5601b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef5c22460 5 bytes JMP 000007fefd5602d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2380] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef5c596b0 6 bytes JMP 000007fefd560298 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076191eee 7 bytes JMP 0000000174e63550 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076195b85 7 bytes JMP 0000000174e637f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000761a13e1 7 bytes JMP 0000000174e63650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000761aea0d 7 bytes JMP 0000000174e63540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000762388b4 7 bytes JMP 0000000174e63310 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076238939 5 bytes JMP 0000000174e633c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076238c8f 5 bytes JMP 0000000174e63320 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077311d1b 5 bytes JMP 0000000174e632b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077311dc9 5 bytes JMP 0000000174e63270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077312aa4 5 bytes JMP 0000000174e633d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077312d0a 5 bytes JMP 0000000174e630b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 0000000174e62c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 0000000174e63030 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 0000000174e630a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 0000000174e63020 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755de96b 5 bytes JMP 0000000174e62cd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755deba5 5 bytes JMP 0000000174e62ce0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b75ea5 5 bytes JMP 0000000174e62c20 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ba9d0b 5 bytes JMP 0000000174e62bb0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075641465 2 bytes [64, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756414bb 2 bytes [64, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007760af40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077614a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077632990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007763efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000776699b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000776794d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007769a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd582db0 5 bytes JMP 000007fffd570180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd5837d0 7 bytes JMP 000007fffd5700d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd588ef0 6 bytes JMP 000007fffd570148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd59af60 5 bytes JMP 000007fffd570110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefedd89e0 8 bytes JMP 000007fffd5701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1940] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefeddbe40 8 bytes JMP 000007fffd5701b8 .text C:\Program Files (x86)\PANDORA.TV\PanService\PanProcess.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075641465 2 bytes [64, 75] .text C:\Program Files (x86)\PANDORA.TV\PanService\PanProcess.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756414bb 2 bytes [64, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076191eee 7 bytes JMP 0000000174e63550 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076195b85 7 bytes JMP 0000000174e637f0 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000761a13e1 7 bytes JMP 0000000174e63650 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000761aea0d 7 bytes JMP 0000000174e63540 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000762388b4 7 bytes JMP 0000000174e63310 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076238939 5 bytes JMP 0000000174e633c0 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076238c8f 5 bytes JMP 0000000174e63320 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077311d1b 5 bytes JMP 0000000174e632b0 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077311dc9 5 bytes JMP 0000000174e63270 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077312aa4 5 bytes JMP 0000000174e633d0 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077312d0a 5 bytes JMP 0000000174e630b0 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 000000007731549c 5 bytes JMP 0000000100110800 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 0000000174e62c60 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 0000000174e63030 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 0000000174e630a0 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 0000000174e63020 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b75ea5 5 bytes JMP 0000000174e62c20 .text C:\Program Files (x86)\Steam\Steam.exe[4028] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ba9d0b 5 bytes JMP 0000000174e62bb0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076191eee 7 bytes JMP 0000000174e63550 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076195b85 7 bytes JMP 0000000174e637f0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000761a13e1 7 bytes JMP 0000000174e63650 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000761aea0d 7 bytes JMP 0000000174e63540 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000762388b4 7 bytes JMP 0000000174e63310 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076238939 5 bytes JMP 0000000174e633c0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076238c8f 5 bytes JMP 0000000174e63320 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077311d1b 5 bytes JMP 0000000174e632b0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077311dc9 5 bytes JMP 0000000174e63270 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077312aa4 5 bytes JMP 0000000174e633d0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077312d0a 5 bytes JMP 0000000174e630b0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755de96b 5 bytes JMP 0000000174e62cd0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755deba5 5 bytes JMP 0000000174e62ce0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 0000000174e62c60 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 0000000174e63030 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 0000000174e630a0 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 0000000174e63020 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b75ea5 5 bytes JMP 0000000174e62c20 .text C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe[4036] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ba9d0b 5 bytes JMP 0000000174e62bb0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076191eee 7 bytes JMP 0000000174e63550 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076195b85 7 bytes JMP 0000000174e637f0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000761a13e1 7 bytes JMP 0000000174e63650 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000761aea0d 7 bytes JMP 0000000174e63540 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000762388b4 7 bytes JMP 0000000174e63310 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076238939 5 bytes JMP 0000000174e633c0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076238c8f 5 bytes JMP 0000000174e63320 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077311d1b 5 bytes JMP 0000000174e632b0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077311dc9 5 bytes JMP 0000000174e63270 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077312aa4 5 bytes JMP 0000000174e633d0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077312d0a 5 bytes JMP 0000000174e630b0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 0000000174e62c60 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 0000000174e63030 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 0000000174e630a0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 0000000174e63020 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755de96b 5 bytes JMP 0000000174e62cd0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755deba5 5 bytes JMP 0000000174e62ce0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b75ea5 5 bytes JMP 0000000174e62c20 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ba9d0b 5 bytes JMP 0000000174e62bb0 .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075641465 2 bytes [64, 75] .text C:\Program Files (x86)\Dtella@MS\dtella.exe[4076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756414bb 2 bytes [64, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076191eee 7 bytes JMP 0000000174e63550 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076195b85 7 bytes JMP 0000000174e637f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000761a13e1 7 bytes JMP 0000000174e63650 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000761aea0d 7 bytes JMP 0000000174e63540 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000762388b4 7 bytes JMP 0000000174e63310 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076238939 5 bytes JMP 0000000174e633c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076238c8f 5 bytes JMP 0000000174e63320 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077311d1b 5 bytes JMP 0000000174e632b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077311dc9 5 bytes JMP 0000000174e63270 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077312aa4 5 bytes JMP 0000000174e633d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077312d0a 5 bytes JMP 0000000174e630b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755de96b 5 bytes JMP 0000000174e62cd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755deba5 5 bytes JMP 0000000174e62ce0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 0000000174e62c60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 0000000174e63030 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 0000000174e630a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 0000000174e63020 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b75ea5 5 bytes JMP 0000000174e62c20 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1444] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ba9d0b 5 bytes JMP 0000000174e62bb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076191eee 7 bytes JMP 0000000174e63550 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076195b85 7 bytes JMP 0000000174e637f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000761a13e1 7 bytes JMP 0000000174e63650 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000761aea0d 7 bytes JMP 0000000174e63540 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000762388b4 7 bytes JMP 0000000174e63310 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076238939 5 bytes JMP 0000000174e633c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076238c8f 5 bytes JMP 0000000174e63320 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077311d1b 5 bytes JMP 0000000174e632b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077311dc9 5 bytes JMP 0000000174e63270 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077312aa4 5 bytes JMP 0000000174e633d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077312d0a 5 bytes JMP 0000000174e630b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755de96b 5 bytes JMP 0000000174e62cd0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755deba5 5 bytes JMP 0000000174e62ce0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 0000000174e62c60 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 0000000174e63030 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 0000000174e630a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 0000000174e63020 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b75ea5 5 bytes JMP 0000000174e62c20 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2640] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ba9d0b 5 bytes JMP 0000000174e62bb0 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3796] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 000000007731549c 5 bytes JMP 0000000100300800 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3796] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075641465 2 bytes [64, 75] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3796] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756414bb 2 bytes [64, 75] .text ... * 2 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076191eee 7 bytes JMP 0000000174e63550 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076195b85 7 bytes JMP 0000000174e637f0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000761a13e1 7 bytes JMP 0000000174e63650 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000761aea0d 7 bytes JMP 0000000174e63540 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000762388b4 7 bytes JMP 0000000174e63310 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076238939 5 bytes JMP 0000000174e633c0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076238c8f 5 bytes JMP 0000000174e63320 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077311d1b 5 bytes JMP 0000000174e632b0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077311dc9 5 bytes JMP 0000000174e63270 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077312aa4 5 bytes JMP 0000000174e633d0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077312d0a 5 bytes JMP 0000000174e630b0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755de96b 5 bytes JMP 0000000174e62cd0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755deba5 5 bytes JMP 0000000174e62ce0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 0000000174e62c60 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 0000000174e63030 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 0000000174e630a0 .text C:\Users\Maciek\Downloads\aa\laptop\g7b5u3jp.exe[496] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 0000000174e63020 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1624] (GG drive overlay/GG Network S.A.)(2013-04-09 20:24:42) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dc85de6a7124 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dc85de6a7124 (not active ControlSet) ---- EOF - GMER 2.1 ----