GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-12 16:08:09 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC4O 465,76GB Running: ut6d9dhw.exe; Driver: C:\Users\Szymon\AppData\Local\Temp\uxdcrpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d11401 2 bytes JMP 7511eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d11419 2 bytes JMP 7512b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d11431 2 bytes JMP 751a8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d1144a 2 bytes CALL 75101dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d114dd 2 bytes JMP 751a7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d114f5 2 bytes JMP 751a80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d1150d 2 bytes JMP 751a7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d11525 2 bytes JMP 751a81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d1153d 2 bytes JMP 7511f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d11555 2 bytes JMP 7512b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d1156d 2 bytes JMP 751a86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d11585 2 bytes JMP 751a8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d1159d 2 bytes JMP 751a7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d115b5 2 bytes JMP 7511f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d115cd 2 bytes JMP 7512b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d116b2 2 bytes JMP 751a8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d116bd 2 bytes JMP 751a7d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007712f970 5 bytes JMP 000000016881ea93 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007712f9b8 5 bytes JMP 000000016881f0f8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007712f9d0 5 bytes JMP 000000016881d830 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007712fa20 5 bytes JMP 000000016881d38c .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007712fa38 5 bytes JMP 000000016881d67d .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007712fad0 5 bytes JMP 000000016881f338 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007712fbc8 5 bytes JMP 000000016882a713 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007712fcdc 5 bytes JMP 000000016881d1d4 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007712fcf4 5 bytes JMP 0000000168829d35 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007712fd28 5 bytes JMP 000000016882a030 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007712fdd4 5 bytes JMP 000000016881e668 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007712fdec 5 bytes JMP 0000000168829e5e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077130044 5 bytes JMP 0000000168829b7a .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077130154 5 bytes JMP 000000016881d9d8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 00000000771306e4 5 bytes JMP 000000016881f3da .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077130974 5 bytes JMP 0000000168829d72 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 000000007713098c 5 bytes JMP 000000016881cfa8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000771309d4 5 bytes JMP 000000016881db8e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077130b10 5 bytes JMP 000000016881d0be .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077130f00 5 bytes JMP 000000016881e01b .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077130f18 5 bytes JMP 000000016881e1b7 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077130fa8 5 bytes JMP 000000016881f185 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077130fc0 5 bytes JMP 000000016881f2a8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077130fd8 5 bytes JMP 000000016881f215 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000771312cc 5 bytes JMP 0000000168829f47 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007713140c 5 bytes JMP 000000016881de8e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000771314b8 5 bytes JMP 000000016881e37b .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000771316a8 5 bytes JMP 000000016881dd06 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000771319e8 5 bytes JMP 000000016881d535 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077131b2c 5 bytes JMP 000000016881e4fd .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007510102d 5 bytes JMP 0000000168803904 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075101062 5 bytes JMP 0000000168803d68 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007510d03c 5 bytes JMP 0000000165ab98da .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007512126f 5 bytes JMP 0000000168803a1e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075182ec9 5 bytes JMP 0000000168803c62 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000757814fd 5 bytes JMP 0000000168803f75 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 00000000752dc55d 5 bytes JMP 0000000165ad6fd4 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 00000000752e05ff 5 bytes JMP 0000000165adb735 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\USER32.dll!BeginPaint 00000000752e0eba 5 bytes JMP 0000000165ae9366 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\USER32.dll!ValidateRect 00000000752f08c6 5 bytes JMP 0000000165cd17e7 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000758f1ac6 5 bytes JMP 0000000165bb81aa .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076b65bf6 5 bytes JMP 000000016626d2e8 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000076b6e5f4 7 bytes JMP 000000016883e370 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!OleRun 0000000076b6f910 5 bytes JMP 000000016883de9e .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076b7121d 5 bytes JMP 0000000168841745 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076b72a9d 5 bytes JMP 000000016883fa7c .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000076b7e982 6 bytes JMP 000000016883de15 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000076b7ef3b 5 bytes JMP 000000016883ddcd .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076b9a394 5 bytes JMP 000000016883fdbb .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000076ba08cc 5 bytes JMP 000000016883dd6d .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000076ba7197 5 bytes JMP 00000001688407cf .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076bb590c 5 bytes JMP 00000001688414ec .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076bb594f 5 bytes JMP 000000016883f3c7 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000076bcb16d 7 bytes JMP 000000016883dee6 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000076c2149a 5 bytes JMP 00000001688408cf .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000076c6cd0d 5 bytes JMP 000000016883de56 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\oleaut32.dll!SysFreeString 00000000755f3e59 5 bytes JMP 0000000165b0f708 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\oleaut32.dll!VariantClear 00000000755f3eae 5 bytes JMP 0000000165b2c57b .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\oleaut32.dll!SysAllocStringByteLen 00000000755f4731 5 bytes JMP 0000000165b9c244 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\oleaut32.dll!VariantChangeType 00000000755f5dee 5 bytes JMP 0000000165ba9bf9 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject 00000000756227ba 5 bytes JMP 00000001688403db .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject 00000000756232b0 5 bytes JMP 000000016883dd25 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Windows\syswow64\oleaut32.dll!GetActiveObject 0000000075638f68 5 bytes JMP 000000016884056f ? C:\Windows\system32\mssprxy.dll [4576] entry point in ".rdata" section 0000000072a071e6 .text C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE[4576] C:\Program Files\Microsoft Office 15\Root\Office15\outlrpc.dll!MAPIRevokeMoniker@4 + 657 00000000674c287c 4 bytes JMP 000000006825f442 ? C:\Windows\System32\NLSData0000.dll [4576] entry point in ".rdata" section 000000005593c541 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007712f970 5 bytes JMP 000000016881ea93 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007712f9b8 5 bytes JMP 000000016881f0f8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007712f9d0 5 bytes JMP 000000016881d830 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007712fa20 5 bytes JMP 000000016881d38c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007712fa38 5 bytes JMP 000000016881d67d .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007712fad0 5 bytes JMP 000000016881f338 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007712fbc8 5 bytes JMP 000000016882a713 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007712fcdc 5 bytes JMP 000000016881d1d4 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007712fcf4 5 bytes JMP 0000000168829d35 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007712fd28 5 bytes JMP 000000016882a030 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007712fdd4 5 bytes JMP 000000016881e668 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007712fdec 5 bytes JMP 0000000168829e5e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077130044 5 bytes JMP 0000000168829b7a .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077130154 5 bytes JMP 000000016881d9d8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 00000000771306e4 5 bytes JMP 000000016881f3da .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077130974 5 bytes JMP 0000000168829d72 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 000000007713098c 5 bytes JMP 000000016881cfa8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000771309d4 5 bytes JMP 000000016881db8e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077130b10 5 bytes JMP 000000016881d0be .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077130f00 5 bytes JMP 000000016881e01b .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077130f18 5 bytes JMP 000000016881e1b7 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077130fa8 5 bytes JMP 000000016881f185 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077130fc0 5 bytes JMP 000000016881f2a8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077130fd8 5 bytes JMP 000000016881f215 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000771312cc 5 bytes JMP 0000000168829f47 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007713140c 5 bytes JMP 000000016881de8e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000771314b8 5 bytes JMP 000000016881e37b .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000771316a8 5 bytes JMP 000000016881dd06 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000771319e8 5 bytes JMP 000000016881d535 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077131b2c 5 bytes JMP 000000016881e4fd .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007510102d 5 bytes JMP 0000000168803904 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075101062 5 bytes JMP 0000000168803d68 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007510d03c 5 bytes JMP 0000000165ab98da .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007512126f 5 bytes JMP 0000000168803a1e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075182ec9 5 bytes JMP 0000000168803c62 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000757814fd 5 bytes JMP 0000000168803f75 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 00000000752dc55d 5 bytes JMP 0000000165ad6fd4 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 00000000752e05ff 5 bytes JMP 0000000165adb735 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\USER32.dll!BeginPaint 00000000752e0eba 5 bytes JMP 0000000165ae9366 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[5128] C:\Windows\syswow64\USER32.dll!ValidateRect 00000000752f08c6 5 bytes JMP 0000000165cd17e7 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007712fc10 5 bytes JMP 000000010032012a .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc40 5 bytes JMP 0000000100320bc2 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fda4 5 bytes JMP 0000000100320048 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 000000007712fe20 5 bytes JMP 0000000100320e68 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe38 5 bytes JMP 0000000100320594 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007712feb4 5 bytes JMP 0000000100320f4a .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ff94 5 bytes JMP 0000000100320758 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007712ffc8 5 bytes JMP 0000000100320ca4 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 000000007712fff8 5 bytes JMP 0000000100320d86 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130014 2 bytes JMP 0000000100020050 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 3 0000000077130017 2 bytes [EF, 88] .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 0000000077130278 5 bytes JMP 000000010032020c .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713072c 5 bytes JMP 00000001003203d0 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713081c 5 bytes JMP 00000001003209fe .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130834 2 bytes JMP 000000010032091c .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 3 0000000077130837 2 bytes [1F, 89] .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130d84 5 bytes JMP 0000000100320676 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 0000000077131564 5 bytes JMP 00000001003202ee .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000771318b0 5 bytes JMP 000000010032083a .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131b74 5 bytes JMP 0000000100320ae0 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d00 5 bytes JMP 00000001003204b2 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074e3524f 7 bytes JMP 00000001003303d8 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074e353d0 7 bytes JMP 0000000100330684 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074e35677 7 bytes JMP 00000001003304bc .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074e3589a 7 bytes JMP 000000010033012c .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074e35a1d 7 bytes JMP 000000010033084c .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074e35c9b 7 bytes JMP 00000001003305a0 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074e35d87 7 bytes JMP 0000000100330768 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074e37240 7 bytes JMP 00000001003302f4 .text C:\Users\Szymon\Downloads\ut6d9dhw.exe[7320] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000753215ea 7 bytes JMP 0000000100330930 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 0000000065ab0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 0000000064220000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 0000000068020000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 0000000067610000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 0000000061360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 00000000675e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSLID.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 0000000060be0000 Library C:\Program Files (x86)\Common Files\SYSTEM\MSMAPI\1045\MSMAPI32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] 000000005fd80000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\SkyDriveShell.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] (Microsoft OneDrive Shell Extension/Microsoft Corporation)(2015-03-12 09:59:42) 000000005cf00000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\MSVCP110.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-03-12 09:59:40) 0000000055000000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\MSVCR110.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-03-12 09:59:40) 0000000054f20000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\Telemetry.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] (Telemetry Library/Microsoft Corporation)(2015-03-12 09:59:41) 0000000054e90000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\logging.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [4576] (Logging Library/Microsoft Corporation)(2015-03-12 09:59:40) 000000005fd40000 Process C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (Dropbox/Dropbox, Inc.)(2015-03-12 10:37:07) 0000000000400000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 0000000052da0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 0000000052ab0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044](2015-03-12 10:37:06) 0000000060a00000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 00000000526d0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (ICU I18N DLL/The ICU Project)(2015-03-12 10:37:06) 000000004a900000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (ICU Common DLL/The ICU Project)(2015-03-12 10:37:06) 0000000004040000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (ICU Data DLL/The ICU Project)(2015-03-12 10:37:06) 000000004ad00000 Library c:\users\szymon\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpmm9qge.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044](2015-03-12 10:37:18) 0000000003a70000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 00000000524f0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 0000000051500000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 00000000512e0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 0000000051080000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 0000000072840000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044](2015-03-12 10:37:06) 0000000071da0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 000000005cfd0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 0000000054df0000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-12 10:37:06) 0000000051030000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044](2015-03-12 10:37:06) 0000000050f50000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044](2015-03-12 10:37:06) 0000000050f10000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\plugins\accessible\qtaccessiblewidgets.dll (*** suspicious ***) @ C:\Users\Szymon\AppData\Roaming\Dropbox\bin\Dropbox.exe [5044](2015-03-12 10:37:06) 0000000060e30000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (*** suspicious ***) @ C:\Windows\explorer.exe [5200] (Microsoft OneDrive Shell Extension/Microsoft Corporation)(2015-03-12 09:59:43) 000007fefbd50000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\MSVCP110.dll (*** suspicious ***) @ C:\Windows\explorer.exe [5200] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-03-12 09:59:43) 000007fefb150000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\MSVCR110.dll (*** suspicious ***) @ C:\Windows\explorer.exe [5200] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-03-12 09:59:43) 000007fefa260000 Library C:\Users\Szymon\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (*** suspicious ***) @ C:\Windows\explorer.exe [5200] (Dropbox Shell Extension/Dropbox, Inc.)(2015-03-04 22:27:18) 000007fefbd10000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [5128] 0000000065ab0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [5128] 0000000064220000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\SkyDriveShell.dll (*** suspicious ***) @ C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [5544] (Microsoft OneDrive Shell Extension/Microsoft Corporation)(2015-03-12 09:59:42) 000000005cf00000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\MSVCP110.dll (*** suspicious ***) @ C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [5544] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-03-12 09:59:40) 0000000055000000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\MSVCR110.dll (*** suspicious ***) @ C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [5544] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-03-12 09:59:40) 0000000054f20000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\Telemetry.dll (*** suspicious ***) @ C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [5544] (Telemetry Library/Microsoft Corporation)(2015-03-12 09:59:41) 0000000054e90000 Library C:\Users\Szymon\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\logging.dll (*** suspicious ***) @ C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [5544] (Logging Library/Microsoft Corporation)(2015-03-12 09:59:40) 000000005fd40000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ec55f9d2a462 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ec55f9d2a462 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Szymon\AppData\Local\Microsoft\Office\OTeleData_4576_1.etl 0 bytes File C:\Users\Szymon\AppData\Local\Microsoft\Office\OTeleData_5128_2.etl 0 bytes File C:\Users\Szymon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\JI2CJX0P\formularz_druzyna_0_1 MSZ Biega korekata final (2).xls 31744 bytes File C:\Users\Szymon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7FC8DB82-F207-4B13-88D6-5247AF493C32}.tmp 2560 bytes ---- EOF - GMER 2.1 ----