GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-10-25 12:56:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: m57g1hli.exe; Driver: C:\Users\WIESAW~1\AppData\Local\Temp\fxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077abfaa8 5 bytes JMP 00000001734018dd .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 0000000173401ed6 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[2016] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 779 00000000771eb9f8 4 bytes [0B, 26, 40, 73] .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ee1465 2 bytes [EE, 76] .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ee14bb 2 bytes [EE, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ff13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ff146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ff16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000073ff16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ff19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ff19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073ff1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073ff1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ff1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073ff1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000778c11f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 00000000778c1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778c143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 00000000778c158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778c191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 00000000778c1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 00000000778c1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778c1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 00000000778c1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778c1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 00000000778c1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 00000000778c1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 00000000778c1fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 00000000778c2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 00000000778c2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 00000000778c2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778c27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000778c27d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 00000000778c282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 00000000778c2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 00000000778c2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 00000000778c2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 00000000778c3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 00000000778c323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000778c33c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 00000000778c3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 00000000778c3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 00000000778c3b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 00000000778c3d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 00000000778c4190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077911380 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077911500 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077911530 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077911650 8 bytes JMP a23f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077911700 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077911f80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779127e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ff13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ff146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ff16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000073ff16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ff19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ff19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073ff1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073ff1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ff1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7672] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073ff1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000778c11f5 8 bytes {JMP 0xd} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 00000000778c1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000778c143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 00000000778c158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000778c191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 00000000778c1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 00000000778c1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 00000000778c1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 00000000778c1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 00000000778c1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 00000000778c1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 00000000778c1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 00000000778c1fd7 8 bytes {JMP 0xb} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 00000000778c2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 00000000778c2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 00000000778c2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000778c27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000778c27d2 8 bytes {JMP 0x10} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 00000000778c282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 00000000778c2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 00000000778c2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 00000000778c2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 00000000778c3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 00000000778c323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000778c33c0 16 bytes {JMP 0x4e} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 00000000778c3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 00000000778c3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 00000000778c3b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 00000000778c3d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 00000000778c4190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077911380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077911500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077911530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077911650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077911700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077911f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779127e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000073ff13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000073ff146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000073ff16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000073ff16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000073ff19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000073ff19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073ff1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073ff1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073ff1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Wiesław\Downloads\gm\m57g1hli.exe[10728] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073ff1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004b70fb0] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [332:2808] 000007fef775a2b0 Thread C:\Windows\System32\svchost.exe [332:1868] 000007fef8ce88f8 Thread C:\Windows\System32\svchost.exe [332:3844] 000007fef89644e0 Thread C:\Windows\System32\spoolsv.exe [1372:1932] 000007fef95910c8 Thread C:\Windows\System32\spoolsv.exe [1372:1940] 000007fef9556144 Thread C:\Windows\System32\spoolsv.exe [1372:1944] 000007fef9345fd0 Thread C:\Windows\System32\spoolsv.exe [1372:1948] 000007fef9333438 Thread C:\Windows\System32\spoolsv.exe [1372:1952] 000007fef93463ec Thread C:\Windows\System32\spoolsv.exe [1372:1960] 000007fefa085e5c Thread C:\Windows\System32\spoolsv.exe [1372:1964] 000007fefa135074 Thread C:\Windows\System32\spoolsv.exe [1372:1992] 0000000001f6c334 Thread C:\Windows\system32\taskhost.exe [1616:3896] 000007fef9c75170 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [576:1332] 000007fefbef2bf8 Thread C:\Windows\system32\svchost.exe [2612:2428] 000007feff32a808 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@LastProcessedRevision 42527661 ---- EOF - GMER 2.1 ----