GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-15 19:39:15 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.01.0 698,64GB Running: 5dpcogye.exe; Driver: C:\Users\samsung\AppData\Local\Temp\pfniipod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1996] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073701a22 2 bytes [70, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1996] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073701ad0 2 bytes [70, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1996] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073701b08 2 bytes [70, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1996] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073701bba 2 bytes [70, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1996] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073701bda 2 bytes [70, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2024] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2024] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Users\samsung\AppData\Roaming\Spotify\spotify.exe[1308] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000077ad000c 1 byte [C3] .text C:\Users\samsung\AppData\Roaming\Spotify\spotify.exe[1308] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000077b5f962 5 bytes JMP 0000000177b0d579 .text C:\Users\samsung\AppData\Roaming\Spotify\spotify.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Users\samsung\AppData\Roaming\Spotify\spotify.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[5908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 166 000000002f2f1974 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 253 000000002f2f19cb 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 320 000000002f2f1a0e 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 390 000000002f2f1a54 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 738 000000002f2f1bb0 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 937 000000002f2f1c77 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 958 000000002f2f1c8c 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 970 000000002f2f1c98 2 bytes [2F, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5636] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007749d03c 5 bytes JMP 0000000157985629 .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text C:\Users\samsung\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077adfc10 5 bytes JMP 00000001003a012a .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc40 5 bytes JMP 00000001003a0bc2 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfda4 5 bytes JMP 00000001003a0048 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077adfe38 5 bytes JMP 00000001003a0594 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077adfeb4 5 bytes JMP 00000001003a0e68 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077adff94 5 bytes JMP 00000001003a0758 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077adffc8 5 bytes JMP 00000001003a0ca4 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077adfff8 5 bytes JMP 00000001003a0d86 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077ae0014 2 bytes JMP 0000000100020050 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077ae0017 2 bytes [54, 88] .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 0000000077ae0278 5 bytes JMP 00000001003a020c .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ae072c 5 bytes JMP 00000001003a03d0 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae081c 5 bytes JMP 00000001003a09fe .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ae0834 2 bytes JMP 00000001003a091c .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 3 0000000077ae0837 2 bytes [8C, 88] .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ae0d84 5 bytes JMP 00000001003a0676 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 0000000077ae1564 5 bytes JMP 00000001003a02ee .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae18b0 5 bytes JMP 00000001003a083a .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ae1b74 5 bytes JMP 00000001003a0ae0 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ae1d00 5 bytes JMP 00000001003a04b2 .text D:\OTL.exe[6604] C:\Windows\syswow64\user32.DLL!RecordShutdownReason + 882 0000000075c315ea 7 bytes JMP 00000001003a0f4a .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000776a524f 7 bytes JMP 00000001003c04ba .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000776a53d0 7 bytes JMP 00000001003c0766 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000776a5677 7 bytes JMP 00000001003c059e .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000776a589a 7 bytes JMP 00000001003c020e .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000776a5a1d 7 bytes JMP 00000001003c092e .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000776a5c9b 7 bytes JMP 00000001003c0682 .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000776a5d87 7 bytes JMP 00000001003c084a .text D:\OTL.exe[6604] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000776a7240 7 bytes JMP 00000001003c03d6 .text D:\OTL.exe[6604] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075bc1465 2 bytes [BC, 75] .text D:\OTL.exe[6604] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000075bc14bb 2 bytes [BC, 75] .text ... * 2 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 0000000077adfc10 5 bytes JMP 000000010032012a .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077adfc40 5 bytes JMP 0000000100320bc2 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfda4 5 bytes JMP 0000000100320048 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077adfe38 5 bytes JMP 0000000100320594 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 0000000077adfeb4 5 bytes JMP 0000000100320e68 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077adff94 5 bytes JMP 0000000100320758 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077adffc8 5 bytes JMP 0000000100320ca4 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077adfff8 5 bytes JMP 0000000100320d86 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077ae0014 2 bytes JMP 0000000100020050 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077ae0017 2 bytes [54, 88] .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 0000000077ae0278 5 bytes JMP 000000010032020c .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ae072c 5 bytes JMP 00000001003203d0 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ae081c 5 bytes JMP 00000001003209fe .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ae0834 2 bytes JMP 000000010032091c .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 3 0000000077ae0837 2 bytes [84, 88] .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ae0d84 5 bytes JMP 0000000100320676 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 0000000077ae1564 5 bytes JMP 00000001003202ee .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ae18b0 5 bytes JMP 000000010032083a .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ae1b74 5 bytes JMP 0000000100320ae0 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ae1d00 5 bytes JMP 00000001003204b2 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 00000000776a524f 7 bytes JMP 00000001003302f4 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000776a53d0 7 bytes JMP 00000001003305a0 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 00000000776a5677 7 bytes JMP 00000001003303d8 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 00000000776a589a 7 bytes JMP 0000000100330048 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 00000000776a5a1d 7 bytes JMP 0000000100330768 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 00000000776a5c9b 7 bytes JMP 00000001003304bc .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 00000000776a5d87 7 bytes JMP 0000000100330684 .text D:\5dpcogye.exe[6664] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 00000000776a7240 7 bytes JMP 0000000100330210 .text D:\5dpcogye.exe[6664] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075c315ea 7 bytes JMP 000000010033084c ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!wctomb] [14d10000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!iswctype] [24520000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!wcstombs] [14d014cf245214d1] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!realloc] [14d1000014d10000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!__badioinfo] [14d114d114d114cf] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_read] [14d114d114d114d1] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_fileno] [14d314d1] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_isatty] [14cd000014d30000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!ungetc] [162a000000000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_iob] [162a162a000014d3] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!localeconv] [14d3000014d32452] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!isxdigit] [14d314d314d30000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!isleadbyte] [14d314d314d314d3] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!__mb_cur_max] [2452000014d414d3] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!mbtowc] [14d40000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!isdigit] [1b1e14ce] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!calloc] [1b1e0000000014d4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_CxxThrowException] [14d4000014d41b1e] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!memset] [14d414d414d42452] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!memcpy] [14d414d414d414d4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [14d1000014de14d4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_onexit] [2452162a14de1b1e] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_lock] [14cf1b1e1b0b] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!__dllonexit] [1b0b1b0b000014de] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_unlock] [14de000014de0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!?terminate@@YAXXZ] [14de14de14de14d3] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_amsg_exit] [1b0b000014e014de] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_initterm] [1b1e000014e00000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_XcptFilter] [14d01bc61b0b] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_resetstkoflw] [1b0b1b0b14e0] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z] [14e0156d14e01b0b] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_errno] [14e014e014e00000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!__CxxFrameHandler] [14e014e014e014e0] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_purecall] [14e41bc61b0b14e0] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_vsnwprintf] [14e41b0b000014d4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!malloc] [1bc6162a0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!free] [1bc614e400000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!__pioinfo] [14e41bc61bc614de] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!_wfopen] [14e414d100000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!fread] [14e414e414e414e4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!ftell] [162a14e414e414e4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!fseek] [162a] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!fclose] [14e500000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!wcschr] [162a14e500000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!strncmp] [1b1f00000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[msvcrt.dll!memmove] [162a14d314e50000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!FlushFileBuffers] [14cb0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!WriteFile] [14cb000016f4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!SetFilePointer] [14cb14cb14c514cb] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [14cb14cb14cb14cb] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!UnhandledExceptionFilter] [2a0214cc14cb14cb] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetCurrentProcess] [2a0214cc00000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!TerminateProcess] [16f42a02] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [16f416f414cc0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetCurrentProcessId] [16f414cc16f40000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetTickCount] [14cc14cc14c614cc] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!QueryPerformanceCounter] [14cc14cc14cc14cc] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!RtlCaptureContext] [16f414cc14cc] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!RtlLookupFunctionEntry] [14cd00000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!RtlVirtualUnwind] [14cd00000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!OutputDebugStringA] [14cb000014cc0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetModuleFileNameW] [14cd16f4] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetCurrentThreadId] [2a0214cd14c70000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetLocalTime] [14cd14cd000014cd] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!FormatMessageW] [14cd14cd14cd14cd] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!Sleep] [14ce000014cd14cd] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!VirtualProtect] [14ce000000000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!DelayLoadFailureHook] [1b0d2a02] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!LoadLibraryExA] [1b0d14ce00000000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!LocalFree] [14ce000014c81b0d] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!CloseHandle] [14ce14cb14ce0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!LockResource] [14ce14ce14ce] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!CreateFileMappingW] [14cf1b0d] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!DisableThreadLibraryCalls] [1b0d14cf0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetProcAddress] [14c914cd14cf] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!SetLastError] [14cf1b0d14cf0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetLastError] [14cf14cf14cf14ce] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!CreateFileW] [14cf14cf14cf14cf] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!SizeofResource] [14d00000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!InitializeCriticalSectionAndSpinCount] [156d0000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!LoadLibraryW] [14cb0000156d14d0] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!LoadResource] [14d0000014d00000] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!FreeLibrary] [14d014d014d0156d] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!FindResourceW] [14d014d014d014d0] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!UnmapViewOfFile] [156d156d156d14d0] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!MapViewOfFile] [156d156d156d156d] IAT C:\Windows\system32\SearchIndexer.exe[2816] @ C:\Windows\System32\NLSData0018.dll[KERNEL32.dll!GetFileSize] [2a02156d] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca97122bf9f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca97122bf9f@d0c1b1d25eca 0x56 0x95 0x55 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca97122bf9f@0022fd81fb92 0xFB 0xCB 0x68 0x94 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca97122bf9f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca97122bf9f@d0c1b1d25eca 0x56 0x95 0x55 0x92 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca97122bf9f@0022fd81fb92 0xFB 0xCB 0x68 0x94 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\samsung\Desktop\wladca pierscieni gra\Władca Pierścieni Bitwa o Śródziemie II \x2013 Król Nazguli PL-REPACK-O22y\The.Lord.Of.The.Rings.Battle.For.Middle.Earth.II.The.Rise.of.the.Witch-King.ADDON.POLiSH.REPACK.O22y\o22y-bfmetrotwk\wpbosiitlk.exe 1 ---- EOF - GMER 2.1 ----