GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-17 07:31:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.D005 465,76GB Running: go3wdubs.exe; Driver: C:\Users\Szy\AppData\Local\Temp\uxldypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88004428dac 12 bytes {MOV RAX, 0xfffffa8006b172a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077a4f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077a79a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077a894c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077a89630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077aa87e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe337490 11 bytes JMP 000007fffda00228 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1440] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe34bf00 7 bytes JMP 000007fffda00260 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077a4f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077a79a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077a894c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077a89630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077aa87e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe337490 11 bytes JMP 000007fffda00228 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe34bf00 7 bytes JMP 000007fffda00260 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077a4f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077a79a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077a894c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077a89630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077aa87e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe337490 11 bytes JMP 000007fffda00228 .text C:\Program Files\Dell\QuickSet\quickset.exe[2372] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe34bf00 7 bytes JMP 000007fffda00260 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe337490 11 bytes JMP 000007fffda00228 .text C:\Windows\System32\igfxpers.exe[2424] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe34bf00 7 bytes JMP 000007fffda00260 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000077a4f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077a79a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077a894c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077a89630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077aa87e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe337490 11 bytes JMP 000007fffda00228 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2620] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe34bf00 7 bytes JMP 000007fffda00260 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000771b1409 7 bytes JMP 00000001748a1e90 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000771cb21b 5 bytes JMP 00000001748a1da0 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077248e24 7 bytes JMP 00000001748a1d90 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077248ea9 5 bytes JMP 00000001748a1e80 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000772491ff 5 bytes JMP 00000001748a1e10 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075ec1d29 5 bytes JMP 00000001748a2450 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075ec1dd7 5 bytes JMP 00000001748a24b0 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075ec2ab1 5 bytes JMP 00000001748a2520 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075ec2d17 5 bytes JMP 00000001748a2670 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e4e96b 5 bytes JMP 00000001748a1a00 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e4eba5 5 bytes JMP 00000001748a1a90 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076175ea5 5 bytes JMP 00000001748a1ce0 .text C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[2792] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000761a9d0b 5 bytes JMP 00000001748a1c70 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe337490 11 bytes JMP 000007fffda00228 .text C:\Program Files\iTunes\iTunesHelper.exe[2924] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe34bf00 7 bytes JMP 000007fffda00260 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075f01401 2 bytes JMP 771cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075f01419 2 bytes JMP 771cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075f01431 2 bytes JMP 77248ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075f0144a 2 bytes CALL 771a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075f014dd 2 bytes JMP 772487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075f014f5 2 bytes JMP 77248978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075f0150d 2 bytes JMP 77248698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075f01525 2 bytes JMP 77248a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075f0153d 2 bytes JMP 771bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075f01555 2 bytes JMP 771c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075f0156d 2 bytes JMP 77248f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075f01585 2 bytes JMP 77248ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075f0159d 2 bytes JMP 7724865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075f015b5 2 bytes JMP 771bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075f015cd 2 bytes JMP 771cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075f016b2 2 bytes JMP 77248e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3980] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075f016bd 2 bytes JMP 772485f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefda12db0 5 bytes JMP 000007fffda00180 .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefda137d0 7 bytes JMP 000007fffda000d8 .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda18ef0 6 bytes JMP 000007fffda00148 .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefda2af60 5 bytes JMP 000007fffda00110 .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefe337490 11 bytes JMP 000007fffda00228 .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefe34bf00 7 bytes JMP 000007fffda00260 .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf689f0 8 bytes JMP 000007fffda001f0 .text C:\Windows\system32\wbem\unsecapp.exe[4764] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf6be50 8 bytes JMP 000007fffda001b8 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000771b1409 7 bytes JMP 00000001748a1e90 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000771cb21b 5 bytes JMP 00000001748a1da0 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000077248e24 7 bytes JMP 00000001748a1d90 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077248ea9 5 bytes JMP 00000001748a1e80 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000772491ff 5 bytes JMP 00000001748a1e10 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075ec1d29 5 bytes JMP 00000001748a2450 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075ec1dd7 5 bytes JMP 00000001748a24b0 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075ec2ab1 5 bytes JMP 00000001748a2520 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075ec2d17 5 bytes JMP 00000001748a2670 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075e4e96b 5 bytes JMP 00000001748a1a00 .text C:\Users\Szy\Desktop\go3wdubs.exe[3148] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075e4eba5 5 bytes JMP 00000001748a1a90 ---- Devices - GMER 2.1 ---- Device \Driver\agizw9s1 \Device\Scsi\agizw9s11 fffffa80070bf2c0 Device \Driver\agizw9s1 \Device\Scsi\agizw9s11Port1Path0Target0Lun0 fffffa80070bf2c0 Device \FileSystem\Ntfs \Ntfs fffffa8003c692c0 Device \FileSystem\fastfat \Fat fffffa800aa312c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8003cfe2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80069912c0 Device \Driver\cdrom \Device\CdRom1 fffffa80069912c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8003cfe2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{11D44A01-3CC0-4905-80F9-F4785231A134} fffffa8006a2b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{507A970A-E7C3-4616-B341-763732110DBC} fffffa8006a2b2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8003cfe2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006a2b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0D5FB455-FC64-47F7-BFCB-BA1DDA8A3E4B} fffffa8006a2b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{92512462-2627-4AE1-917B-ECF984019532} fffffa8006a2b2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8003cfe2c0 Device \Driver\agizw9s1 \Device\ScsiPort1 fffffa80070bf2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A3D1A439-80BE-49A5-932B-0E4470E5E97C} fffffa8006a2b2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\agizw9s1.SYS fffff880046d1000-fffff88004715000 (278528 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3848] 0000000077e63e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3860] 0000000077e62e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3880] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3884] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3888] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3892] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3896] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3900] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3904] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3908] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3912] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3916] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3952] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3956] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3960] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3996] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:4000] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:4004] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:4008] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:4012] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:4016] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:4020] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:2952] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:2948] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:2912] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:2908] 0000000077e63e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3204] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3480] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3476] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3472] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:396] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3572] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3672] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3416] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3444] 000000006a1b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3796:3412] 000000006a1b29e1 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A0367AA2-0179-4D07-A8CE-021A6B9BF540}\Connection@Name isatap.{92512462-2627-4AE1-917B-ECF984019532} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{074201D0-8D99-4127-B5BD-083AEAAC8E8B}?\Device\{AE169499-1241-47D7-A273-74E47C68B276}?\Device\{744E6EB0-695A-4128-BA10-F585288CCA0E}?\Device\{A0367AA2-0179-4D07-A8CE-021A6B9BF540}?\Device\{FA75BF00-F0DD-4262-8246-B1BEC44AAA14}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{074201D0-8D99-4127-B5BD-083AEAAC8E8B}"?"{AE169499-1241-47D7-A273-74E47C68B276}"?"{744E6EB0-695A-4128-BA10-F585288CCA0E}"?"{A0367AA2-0179-4D07-A8CE-021A6B9BF540}"?"{FA75BF00-F0DD-4262-8246-B1BEC44AAA14}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{074201D0-8D99-4127-B5BD-083AEAAC8E8B}?\Device\TCPIP6TUNNEL_{AE169499-1241-47D7-A273-74E47C68B276}?\Device\TCPIP6TUNNEL_{744E6EB0-695A-4128-BA10-F585288CCA0E}?\Device\TCPIP6TUNNEL_{A0367AA2-0179-4D07-A8CE-021A6B9BF540}?\Device\TCPIP6TUNNEL_{FA75BF00-F0DD-4262-8246-B1BEC44AAA14}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289f2fdae Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289f2fdae@68764f26b7ca 0x57 0x5B 0x0F 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{A0367AA2-0179-4D07-A8CE-021A6B9BF540}@InterfaceName isatap.{92512462-2627-4AE1-917B-ECF984019532} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{A0367AA2-0179-4D07-A8CE-021A6B9BF540}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x02 0x72 0x0F 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x03 0xFF 0x19 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5A 0xA0 0x3B 0x2D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289f2fdae (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289f2fdae@68764f26b7ca 0x57 0x5B 0x0F 0x94 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x02 0x72 0x0F 0xE2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x03 0xFF 0x19 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5A 0xA0 0x3B 0x2D ... ---- EOF - GMER 2.1 ----