GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-31 17:04:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000007c ATA_____ rev.1A01 931,51GB Running: qxd4iuy5.exe; Driver: C:\Users\Bartas\AppData\Local\Temp\uwdiipow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000174300 7 bytes [00, A1, F3, FF, 41, B4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000174308 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[976] C:\Windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 0000000077609f2a 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[976] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000770d3495 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[976] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000770d48f3 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[976] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000770d8791 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075542c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b41465 2 bytes [B4, 75] .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b414bb 2 bytes [B4, 75] .text ... * 2 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavSvc.exe[2176] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007760c4dd 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavSvc.exe[2176] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000770d8791 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavSvc.exe[2176] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075542c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BHipsSvc.exe[2252] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007760c4dd 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BHipsSvc.exe[2252] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000770d8791 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BHipsSvc.exe[2252] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075542c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BHipsSvc.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b41465 2 bytes [B4, 75] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BHipsSvc.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b414bb 2 bytes [B4, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000770d1f0e 7 bytes JMP 0000000170263d10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000770d5bad 7 bytes JMP 00000001702646b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000770e1409 7 bytes JMP 0000000170264050 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000770eea45 7 bytes JMP 0000000170263d00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077178e24 7 bytes JMP 00000001702637c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077178ea9 5 bytes JMP 0000000170263870 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000771791ff 5 bytes JMP 00000001702637d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075541d29 5 bytes JMP 0000000170263780 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075541dd7 5 bytes JMP 0000000170263740 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075542ab1 5 bytes JMP 0000000170263880 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075542d17 5 bytes JMP 0000000170263560 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759e8a29 5 bytes JMP 0000000170262c50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759f4572 5 bytes JMP 00000001702634e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075a0e567 5 bytes JMP 0000000170263550 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a307d7 5 bytes JMP 0000000170262a60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a47a5c 5 bytes JMP 00000001702634d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007705e96b 5 bytes JMP 0000000170262d70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4380] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007705eba5 5 bytes JMP 0000000170262d80 .text C:\Windows\Explorer.EXE[4480] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000772f0650 6 bytes JMP fb852420 .text C:\Windows\Explorer.EXE[4480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1e9055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000770d1f0e 7 bytes JMP 0000000170263d10 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000770d5bad 7 bytes JMP 00000001702646b0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000770d8791 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000770e1409 7 bytes JMP 0000000170264050 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000770eea45 7 bytes JMP 0000000170263d00 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077178e24 7 bytes JMP 00000001702637c0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077178ea9 5 bytes JMP 0000000170263870 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000771791ff 5 bytes JMP 00000001702637d0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075541d29 5 bytes JMP 0000000170263780 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075541dd7 5 bytes JMP 0000000170263740 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075542ab1 5 bytes JMP 0000000170263880 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075542d17 5 bytes JMP 0000000170263560 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759e8a29 5 bytes JMP 0000000170262c50 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!GetScrollInfo 00000000759f4018 7 bytes JMP 0000000173385fb0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000759f40cf 7 bytes JMP 0000000173385dd0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!ShowScrollBar 00000000759f4162 5 bytes JMP 0000000173386410 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!GetScrollPos 00000000759f4234 5 bytes JMP 0000000173386180 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759f4572 5 bytes JMP 00000001702634e0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000759f87a5 5 bytes JMP 0000000173386080 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!EnableScrollBar 00000000759f8d3a 3 bytes JMP 0000000173386450 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!EnableScrollBar + 4 00000000759f8d3e 3 bytes [FD, CC, CC] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!GetScrollRange 00000000759f90c4 5 bytes JMP 0000000173386350 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!SetScrollRange 0000000075a0d50b 5 bytes JMP 0000000173386200 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075a0e567 5 bytes JMP 0000000170263550 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a307d7 5 bytes JMP 0000000170262a60 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a47a5c 5 bytes JMP 00000001702634d0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007705e96b 5 bytes JMP 0000000170262d70 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007705eba5 5 bytes JMP 0000000170262d80 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075665ea5 5 bytes JMP 0000000170262c10 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075699d0b 5 bytes JMP 0000000170262ba0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b41465 2 bytes [B4, 75] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[5708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b414bb 2 bytes [B4, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [5708] entry point in ".rdata" section 00000000704f71e6 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 0000000077609f2a 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000770d1f0e 7 bytes JMP 0000000170263d10 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000770d3495 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000770d48f3 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000770d5bad 7 bytes JMP 00000001702646b0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000770d8791 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000770e1409 7 bytes JMP 0000000170264050 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000770eea45 7 bytes JMP 0000000170263d00 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077178e24 7 bytes JMP 00000001702637c0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077178ea9 5 bytes JMP 0000000170263870 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000771791ff 5 bytes JMP 00000001702637d0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075541d29 5 bytes JMP 0000000170263780 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075541dd7 5 bytes JMP 0000000170263740 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075542ab1 5 bytes JMP 0000000170263880 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075542c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075542d17 5 bytes JMP 0000000170263560 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007705e96b 5 bytes JMP 0000000170262d70 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007705eba5 5 bytes JMP 0000000170262d80 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759e8a29 5 bytes JMP 0000000170262c50 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!GetScrollInfo 00000000759f4018 7 bytes JMP 0000000172baa9f0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000759f40cf 7 bytes JMP 0000000172baa810 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!ShowScrollBar 00000000759f4162 5 bytes JMP 0000000172baae50 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!GetScrollPos 00000000759f4234 5 bytes JMP 0000000172baabc0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759f4572 5 bytes JMP 00000001702634e0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000759f87a5 5 bytes JMP 0000000172baaac0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!EnableScrollBar 00000000759f8d3a 7 bytes JMP 0000000172baae90 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!GetScrollRange 00000000759f90c4 5 bytes JMP 0000000172baad90 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!SetScrollRange 0000000075a0d50b 5 bytes JMP 0000000172baac40 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075a0e567 5 bytes JMP 0000000170263550 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a307d7 5 bytes JMP 0000000170262a60 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a47a5c 5 bytes JMP 00000001702634d0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075665ea5 5 bytes JMP 0000000170262c10 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075699d0b 5 bytes JMP 0000000170262ba0 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b41465 2 bytes [B4, 75] .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFTray.exe[4156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b414bb 2 bytes [B4, 75] .text ... * 2 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\bavhm.exe[4716] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd1e9ff2 3 bytes [0A, 60, 06] .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[4740] C:\Windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 0000000077609f2a 6 bytes JMP 71a5000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[4740] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000770d3495 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[4740] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000770d48f3 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[4740] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000770d8791 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[4740] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075542c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b41465 2 bytes [B4, 75] .text C:\Program Files (x86)\Baidu Security\PC Faster\5.0.0.0\PCFasterSvc.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b414bb 2 bytes [B4, 75] .text ... * 2 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000770d1f0e 7 bytes JMP 0000000170263d10 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000770d5bad 7 bytes JMP 00000001702646b0 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000770e1409 7 bytes JMP 0000000170264050 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000770eea45 7 bytes JMP 0000000170263d00 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077178e24 7 bytes JMP 00000001702637c0 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077178ea9 5 bytes JMP 0000000170263870 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000771791ff 5 bytes JMP 00000001702637d0 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075541d29 5 bytes JMP 0000000170263780 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075541dd7 5 bytes JMP 0000000170263740 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075542ab1 5 bytes JMP 0000000170263880 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075542d17 5 bytes JMP 0000000170263560 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007705e96b 5 bytes JMP 0000000170262d70 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007705eba5 5 bytes JMP 0000000170262d80 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759e8a29 5 bytes JMP 0000000170262c50 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000759f4572 5 bytes JMP 00000001702634e0 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075a0e567 5 bytes JMP 0000000170263550 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075a307d7 5 bytes JMP 0000000170262a60 .text C:\Users\Bartas\Downloads\qxd4iuy5.exe[6364] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075a47a5c 5 bytes JMP 00000001702634d0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6c71d9b4cbd7 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6c71d9b4cbd7 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000046 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000047 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000048 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000049 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00004a 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00004b 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00004e 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00004f 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000050 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000051 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000052 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000053 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000054 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000055 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00005b 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00005c 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00005d 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00005f 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000063 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000064 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000065 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000066 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000067 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000068 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000069 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006a 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006b 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006c 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006e 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000071 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000072 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000073 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000074 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000061 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000075 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000089 23300 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009d 17700 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c5 20382 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000da 38312 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ee 26205 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008a 16814 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008c 19610 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008d 25447 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008e 18023 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000090 51265 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000091 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000092 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000094 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000095 1044650 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000099 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009a 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009b 33919 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009f 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a3 63069 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a7 34468 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a9 30562 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ad 43036 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000b2 256455 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000b6 44649 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000b9 29573 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ba 24642 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000bb 28969 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000bd 34265 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000be 27045 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000bf 54509 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c0 28099 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c1 24427 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c2 19558 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c3 17522 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c4 17704 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c6 17359 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c7 18141 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c8 40046 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000c9 19141 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ca 18068 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000cb 18323 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000cc 18705 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000cd 18318 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ce 17033 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000cf 94863 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d1 76991 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d2 24349 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d3 74435 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d4 30852 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d5 272052 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d6 30852 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d7 47615 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d8 23728 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000d9 70728 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000db 31602 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000dc 17033 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000dd 23728 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000de 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000df 0 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e0 32834 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e1 31312 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e2 18103 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e5 18536 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e6 37378 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e7 41942 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e8 22700 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000e9 29917 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ea 28992 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000eb 43943 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ec 20233 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ed 22098 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ef 62060 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000f0 62437 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000f2 43223 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000f3 34233 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000f4 376231 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000111 38301 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000112 150922 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000113 52068 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000114 64975 bytes File C:\Users\Bartas\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000115 26986 bytes ---- EOF - GMER 2.1 ----