GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-01 03:55:46 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 PLEXTOR_PX-256M5S rev.1.04 238,47GB Running: 7e1muly2.exe; Driver: D:\TEMP\awddykob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7693eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7694b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 769c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 76921dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 769c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 769c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 769c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 769c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7693f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7694b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 769c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 769c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 769c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7693f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7694b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 769c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 769c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7693eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7694b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 769c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 76921dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 769c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 769c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 769c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 769c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7693f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7694b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 769c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 769c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 769c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7693f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7694b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 769c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 769c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7693eb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7694b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 769c8609 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 76921dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 769c7efe C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 769c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 769c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 769c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7693f088 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7694b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 769c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 769c8222 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 769c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7693f121 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7694b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 769c8584 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\Downloads\Gadu-Gadu\Gadu-Gadu\gg.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 769c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7693eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7694b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 769c8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 76921dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 769c7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 769c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 769c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 769c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7693f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7694b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 769c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 769c8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 769c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7693f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7694b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 769c8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 769c7d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7693eb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7694b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000076111431 2 bytes JMP 769c8609 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 000000007611144a 2 bytes CALL 76921dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 769c7efe C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 769c80d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 769c7df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 769c81c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7693f088 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000076111555 2 bytes JMP 7694b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 769c86c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 769c8222 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 769c7db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7693f121 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7694b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 769c8584 C:\Windows\syswow64\kernel32.dll .text C:\Users\kamil\AppData\Roaming\Dropbox\bin\Dropbox.exe[3788] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 769c7d4d C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7693eb26 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7694b513 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 769c8609 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 76921dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 769c7efe C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 769c80d8 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 769c7df4 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 769c81c2 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7693f088 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7694b885 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 769c86c1 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 769c8222 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 769c7db8 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7693f121 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7694b29f C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 769c8584 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe[4568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 769c7d4d C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800109be94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800109bc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109c614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109ca10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109c86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8006c7f2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8006c7f2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8006c7f2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8006c7f2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8006c7f2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa8006c7f2c0 Device \FileSystem\Ntfs \Ntfs fffffa80076292c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E48FAA73-DCE0-4F9A-AA0A-E3C120D19A4E} fffffa8007efa2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007ff12c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007e562c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007ff12c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007ff12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007efa2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8006c7f2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007ff12c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8006c7f2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8006c7f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9B5B4BFA-11E8-418B-8AB2-D72F3E87E24A} fffffa8007efa2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8006c7f2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8006c7f2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007dff060] fffffa8007dff060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa8007ba5060] fffffa8007ba5060 Trace \Driver\atapi[0xfffffa8007ab3150] -> IRP_MJ_CREATE -> 0xfffffa8006c7f2c0 fffffa8006c7f2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC4 0x8B 0x5A 0xE3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC4 0x8B 0x5A 0xE3 ... ---- EOF - GMER 2.1 ----