GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-23 10:37:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: gmer.exe; Driver: C:\Users\Darek\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076fea400 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076ff3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007700ffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007701f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077049a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077059630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000770787e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe587490 11 bytes JMP 000007fffd020228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1592] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe59bf00 7 bytes JMP 000007fffd020260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076fea400 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076ff3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007700ffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007701f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077049a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077059630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000770787e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe8189e0 8 bytes JMP 000007fffd0201f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2512] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe81be40 8 bytes JMP 000007fffd0201b8 .text C:\Windows\system32\Dwm.exe[4224] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd032db0 5 bytes JMP 000007fffd020180 .text C:\Windows\system32\Dwm.exe[4224] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd0337d0 7 bytes JMP 000007fffd0200d8 .text C:\Windows\system32\Dwm.exe[4224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd038ef0 6 bytes JMP 000007fffd020148 .text C:\Windows\system32\Dwm.exe[4224] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd04af60 5 bytes JMP 000007fffd020110 .text C:\Windows\system32\Dwm.exe[4224] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe8189e0 8 bytes JMP 000007fffd0201f0 .text C:\Windows\system32\Dwm.exe[4224] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe81be40 8 bytes JMP 000007fffd0201b8 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffcb0 5 bytes JMP 00000001003b091c .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772ffe14 5 bytes JMP 00000001003b0048 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772ffea8 5 bytes JMP 00000001003b02ee .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077300004 5 bytes JMP 00000001003b04b2 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300038 5 bytes JMP 00000001003b09fe .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077300068 5 bytes JMP 00000001003b0ae0 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077300084 5 bytes JMP 0000000100030050 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007730079c 5 bytes JMP 00000001003b012a .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007730088c 5 bytes JMP 00000001003b0758 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773008a4 5 bytes JMP 00000001003b0676 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077300df4 5 bytes JMP 00000001003b03d0 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077301920 5 bytes JMP 00000001003b0594 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077301be4 5 bytes JMP 00000001003b083a .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[4708] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077301d70 5 bytes JMP 00000001003b020c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5140] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe587490 11 bytes JMP 000007fffd020228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5140] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe59bf00 7 bytes JMP 000007fffd020260 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076fea400 7 bytes JMP 000000016fff0260 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076ff3f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007700ffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007701f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077049a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000770594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077059630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Apoint2K\Apoint.exe[5212] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000770787e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe[5424] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd032db0 5 bytes JMP 000007fffd020180 .text C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe[5424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd0337d0 7 bytes JMP 000007fffd0200d8 .text C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe[5424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd038ef0 6 bytes JMP 000007fffd020148 .text C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe[5424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd04af60 5 bytes JMP 000007fffd020110 .text C:\Program Files (x86)\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757f1465 2 bytes [7F, 75] .text C:\Program Files (x86)\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe[5388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757f14bb 2 bytes [7F, 75] .text ... * 2 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756e1f0e 7 bytes JMP 0000000171b9168b .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756e5bad 7 bytes JMP 0000000171b911a4 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756f1409 7 bytes JMP 0000000171b91280 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756fea45 7 bytes JMP 0000000171b9123a .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007570b21b 5 bytes JMP 0000000171b915a0 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075788e24 7 bytes JMP 0000000171b9132f .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075788ea9 5 bytes JMP 0000000171b916cc .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000757891ff 1 byte JMP 0000000171b91703 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW + 2 0000000075789201 3 bytes {JMP 0xfffffffffc408504} .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1d29 5 bytes JMP 0000000171b911bd .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1dd7 5 bytes JMP 0000000171b91014 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea2ab1 5 bytes JMP 0000000171b9154b .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea2d17 5 bytes JMP 0000000171b91267 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\user32.dll!CreateWindowExW 0000000075818a29 5 bytes JMP 0000000171b9171c .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\user32.dll!EnumDisplayDevicesA 0000000075824572 5 bytes JMP 0000000171b910a0 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\user32.dll!EnumDisplayDevicesW 000000007583e567 5 bytes JMP 0000000171b9140b .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\user32.dll!DisplayConfigGetDeviceInfo 0000000075877a5c 5 bytes JMP 0000000171b915c8 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075cae96b 5 bytes JMP 0000000171b915b9 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075caeba5 5 bytes JMP 0000000171b91181 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b35ea5 5 bytes JMP 0000000171b915f0 .text C:\Program Files\totalcmd\TOTALCMD.EXE[6456] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075b69d0b 5 bytes JMP 0000000171b91217 ? C:\Windows\system32\mssprxy.dll [6456] entry point in ".rdata" section 000000006a4771e6 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNetDm.EXE[5472] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd032db0 5 bytes JMP 000007fffd020180 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNetDm.EXE[5472] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd0337d0 7 bytes JMP 000007fffd0200d8 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNetDm.EXE[5472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd038ef0 6 bytes JMP 000007fffd020148 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNetDm.EXE[5472] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd04af60 5 bytes JMP 000007fffd020110 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNTray.EXE[5900] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd032db0 5 bytes JMP 000007fffd020180 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNTray.EXE[5900] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd0337d0 7 bytes JMP 000007fffd0200d8 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNTray.EXE[5900] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd038ef0 6 bytes JMP 000007fffd020148 .text C:\Program Files\Fujitsu\Plugfree NETWORK\PFNTray.EXE[5900] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd04af60 5 bytes JMP 000007fffd020110 .text C:\Windows\system32\wuauclt.exe[1424] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe587490 11 bytes JMP 000007fffd020228 .text C:\Windows\system32\wuauclt.exe[1424] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe59bf00 7 bytes JMP 000007fffd020260 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756e1f0e 7 bytes JMP 0000000171b9168b .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756e5bad 7 bytes JMP 0000000171b911a4 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000756e8791 5 bytes JMP 00000001629c95e9 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756f1409 7 bytes JMP 0000000171b91280 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756fea45 7 bytes JMP 0000000171b9123a .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007570b21b 5 bytes JMP 0000000171b915a0 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075788e24 7 bytes JMP 0000000171b9132f .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075788ea9 5 bytes JMP 0000000171b916cc .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000757891ff 1 byte JMP 0000000171b91703 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW + 2 0000000075789201 3 bytes {JMP 0xfffffffffc408504} .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1d29 5 bytes JMP 0000000171b911bd .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1dd7 5 bytes JMP 0000000171b91014 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea2ab1 5 bytes JMP 0000000171b9154b .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea2d17 5 bytes JMP 0000000171b91267 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075cae96b 5 bytes JMP 0000000171b915b9 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075caeba5 5 bytes JMP 0000000171b91181 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075818a29 5 bytes JMP 0000000171b9171c .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075819ebd 5 bytes JMP 00000001629e581a .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075820afa 5 bytes JMP 00000001629ea3a4 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000075821361 5 bytes JMP 00000001629f74ed .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075824572 5 bytes JMP 0000000171b910a0 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000075827849 5 bytes JMP 0000000162b5335e .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007583e567 5 bytes JMP 0000000171b9140b .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075877a5c 5 bytes JMP 0000000171b915c8 ? C:\Windows\system32\mssprxy.dll [6772] entry point in ".rdata" section 000000006a4771e6 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[6772] C:\Program Files (x86)\Microsoft Office\Office15\outlrpc.dll!MAPIRevokeMoniker@4 + 657 000000007115287c 4 bytes [FE, E2, 77, B6] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756e1f0e 7 bytes JMP 0000000171b9168b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756e5bad 7 bytes JMP 0000000171b911a4 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756f1409 7 bytes JMP 0000000171b91280 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756fea45 7 bytes JMP 0000000171b9123a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007570b21b 5 bytes JMP 0000000171b915a0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075788e24 7 bytes JMP 0000000171b9132f .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075788ea9 5 bytes JMP 0000000171b916cc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000757891ff 1 byte JMP 0000000171b91703 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW + 2 0000000075789201 3 bytes {JMP 0xfffffffffc408504} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1d29 5 bytes JMP 0000000171b911bd .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1dd7 5 bytes JMP 0000000171b91014 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea2ab1 5 bytes JMP 0000000171b9154b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea2d17 5 bytes JMP 0000000171b91267 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000075818a29 5 bytes JMP 0000000171b9171c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesA 0000000075824572 5 bytes JMP 0000000171b910a0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesW 000000007583e567 5 bytes JMP 0000000171b9140b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1776] C:\Windows\syswow64\user32.DLL!DisplayConfigGetDeviceInfo 0000000075877a5c 5 bytes JMP 0000000171b915c8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1d29 5 bytes JMP 0000000171b911bd .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1dd7 5 bytes JMP 0000000171b91014 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea2ab1 5 bytes JMP 0000000171b9154b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea2d17 5 bytes JMP 0000000171b91267 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000075818a29 5 bytes JMP 0000000171b9171c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesA 0000000075824572 5 bytes JMP 0000000171b910a0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesW 000000007583e567 5 bytes JMP 0000000171b9140b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6720] C:\Windows\syswow64\user32.DLL!DisplayConfigGetDeviceInfo 0000000075877a5c 5 bytes JMP 0000000171b915c8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1d29 5 bytes JMP 0000000171b911bd .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1dd7 5 bytes JMP 0000000171b91014 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea2ab1 5 bytes JMP 0000000171b9154b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea2d17 5 bytes JMP 0000000171b91267 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000075818a29 5 bytes JMP 0000000171b9171c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesA 0000000075824572 5 bytes JMP 0000000171b910a0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesW 000000007583e567 5 bytes JMP 0000000171b9140b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5996] C:\Windows\syswow64\user32.DLL!DisplayConfigGetDeviceInfo 0000000075877a5c 5 bytes JMP 0000000171b915c8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1d29 5 bytes JMP 0000000171b911bd .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1dd7 5 bytes JMP 0000000171b91014 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea2ab1 5 bytes JMP 0000000171b9154b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea2d17 5 bytes JMP 0000000171b91267 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000075818a29 5 bytes JMP 0000000171b9171c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesA 0000000075824572 5 bytes JMP 0000000171b910a0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesW 000000007583e567 5 bytes JMP 0000000171b9140b .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5992] C:\Windows\syswow64\user32.DLL!DisplayConfigGetDeviceInfo 0000000075877a5c 5 bytes JMP 0000000171b915c8 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffcb0 5 bytes JMP 000000010032091c .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772ffe14 5 bytes JMP 0000000100320048 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772ffea8 5 bytes JMP 00000001003202ee .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077300004 5 bytes JMP 00000001003204b2 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300038 5 bytes JMP 00000001003209fe .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077300068 5 bytes JMP 0000000100320ae0 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077300084 5 bytes JMP 0000000100020050 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007730079c 5 bytes JMP 000000010032012a .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007730088c 5 bytes JMP 0000000100320758 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773008a4 5 bytes JMP 0000000100320676 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077300df4 5 bytes JMP 00000001003203d0 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077301920 5 bytes JMP 0000000100320594 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077301be4 5 bytes JMP 000000010032083a .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077301d70 5 bytes JMP 000000010032020c .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000756e1f0e 7 bytes JMP 0000000171b9168b .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000756e5bad 7 bytes JMP 0000000171b911a4 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756f1409 7 bytes JMP 0000000171b91280 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000756fea45 7 bytes JMP 0000000171b9123a .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007570b21b 5 bytes JMP 0000000171b915a0 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075788e24 7 bytes JMP 0000000171b9132f .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075788ea9 5 bytes JMP 0000000171b916cc .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000757891ff 1 byte JMP 0000000171b91703 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW + 2 0000000075789201 3 bytes {JMP 0xfffffffffc408504} .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076ea1d29 5 bytes JMP 0000000171b911bd .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076ea1dd7 5 bytes JMP 0000000171b91014 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076ea2ab1 5 bytes JMP 0000000171b9154b .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076ea2d17 5 bytes JMP 0000000171b91267 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000759e524f 7 bytes JMP 0000000100320f52 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000759e53d0 7 bytes JMP 0000000100330210 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000759e5677 1 byte JMP 0000000100330048 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 00000000759e5679 5 bytes {JMP 0xffffffff8a94a9d1} .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000759e589a 7 bytes JMP 0000000100320ca6 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000759e5a1d 7 bytes JMP 00000001003303d8 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000759e5c9b 7 bytes JMP 000000010033012c .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000759e5d87 7 bytes JMP 00000001003302f4 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000759e7240 7 bytes JMP 0000000100320e6e .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075cae96b 5 bytes JMP 0000000171b915b9 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075caeba5 5 bytes JMP 0000000171b91181 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075818a29 5 bytes JMP 0000000171b9171c .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075824572 5 bytes JMP 0000000171b910a0 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007583e567 5 bytes JMP 0000000171b9140b .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075861492 7 bytes JMP 00000001003304bc .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075877a5c 5 bytes JMP 0000000171b915c8 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b35ea5 5 bytes JMP 0000000171b915f0 .text C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe[6944] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075b69d0b 5 bytes JMP 0000000171b91217 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2580] 0000000077333e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2596] 0000000077332e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2620] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2624] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2628] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2632] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2636] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2640] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2644] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2648] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2652] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2656] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2772] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2776] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2780] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2796] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2816] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2820] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2832] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2900] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2936] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2988] 0000000077333e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:4988] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:6272] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:1500] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:6124] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:2120] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:6928] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:5548] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:6148] 00000000718829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2500:6548] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2664] 0000000077333e85 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2672] 0000000077332e65 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2692] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2696] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2700] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2704] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2708] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2712] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2716] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2720] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2724] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2728] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2760] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2764] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2768] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2800] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2808] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2836] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2848] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2852] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2968] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2992] 0000000077333e85 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:6924] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2948] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:6968] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:4144] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:6972] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:6400] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:7104] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:5776] 00000000718829e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3424] 00000000718829e1 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1036] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1036](2013-12-23 12:15:47) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1036](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1036](2013-12-23 12:15:47) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1036](2013-12-23 12:15:47) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1036](201 000000006ed40000 Process C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe (*** suspicious ***) @ C:\Users\Darek\AppData\Local\Temp\_tc\gmer.exe [6944](2014-06-23 08 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{4B68645D-1EC2-431F-A16E-A2237FF8F574}\Connection@Name isatap.{61066111-44CC-4E9A-BAEF-2592700D6240} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B40E741D-BD2F-4F37-8AEA-5E2CBA5D1895}\Connection@Name isatap.{E607C8C1-269B-46E9-9FA6-97FFF617A06E} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{B40E741D-BD2F-4F37-8AEA-5E2CBA5D1895}?\Device\{18D52158-1BA9-4604-BC42-49A202997C1A}?\Device\{4B68645D-1EC2-431F-A16E-A2237FF8F574}?\Device\{5EDED590-4D6F-4375-9280-F298628AC53A}?\Device\{012CD5FE-FA32-4897-BB80-5A7FD8ED074C}?\Device\{2DA13BD7-0D40-471D-B771-F5705CAB01F2}?\Device\{55BA0E6F-71DF-4055-8E15-0F54CC4A891C}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{B40E741D-BD2F-4F37-8AEA-5E2CBA5D1895}"?"{18D52158-1BA9-4604-BC42-49A202997C1A}"?"{4B68645D-1EC2-431F-A16E-A2237FF8F574}"?"{5EDED590-4D6F-4375-9280-F298628AC53A}"?"{012CD5FE-FA32-4897-BB80-5A7FD8ED074C}"?"{2DA13BD7-0D40-471D-B771-F5705CAB01F2}"?"{55BA0E6F-71DF-4055-8E15-0F54CC4A891C}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{B40E741D-BD2F-4F37-8AEA-5E2CBA5D1895}?\Device\TCPIP6TUNNEL_{18D52158-1BA9-4604-BC42-49A202997C1A}?\Device\TCPIP6TUNNEL_{4B68645D-1EC2-431F-A16E-A2237FF8F574}?\Device\TCPIP6TUNNEL_{5EDED590-4D6F-4375-9280-F298628AC53A}?\Device\TCPIP6TUNNEL_{012CD5FE-FA32-4897-BB80-5A7FD8ED074C}?\Device\TCPIP6TUNNEL_{2DA13BD7-0D40-471D-B771-F5705CAB01F2}?\Device\TCPIP6TUNNEL_{55BA0E6F-71DF-4055-8E15-0F54CC4A891C}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????????????????????????????????????5??????????? ??????????????????????????????? ???????????????????????????????????????f??? ?????????????????????0??L????????? ??????n?o??? ?????????????????????0????????????&???????????????????????????????? ??????????????s???192.168.12.95???????????????????????255.255.252.0???? ??????????????????192.168.12.1??????????????????????????????????????????????e????????????????????????e???????????????????????????????????????????????????????????????????????e??????&??????????????t??192.168.12.1?????????????????????????????????????o?????????????e????192.168.12.1????26974676F637A736A7??????????????????????????????????????????????????????????????????????????????????6???????????5?????????????????????3?????????????????????????????????????????????????????????????????????????????????? ??????????????????bydgoszcz.pl?????????????0???????s??6.1.7601.17577???????????????m?????s2d????????????????????????t?????255.255.252.0?????????????????????????????????????????????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c86be2ec Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c86be2ec@000780426781 0x00 0x20 0xEF 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{4B68645D-1EC2-431F-A16E-A2237FF8F574}@InterfaceName isatap.{61066111-44CC-4E9A-BAEF-2592700D6240} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{4B68645D-1EC2-431F-A16E-A2237FF8F574}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{B40E741D-BD2F-4F37-8AEA-5E2CBA5D1895}@InterfaceName isatap.{E607C8C1-269B-46E9-9FA6-97FFF617A06E} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{B40E741D-BD2F-4F37-8AEA-5E2CBA5D1895}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c86be2ec (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c86be2ec@000780426781 0x00 0x20 0xEF 0xA7 ... ---- EOF - GMER 2.1 ----