GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-07 23:27:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000066 ST500LT0 rev.0002 465,76GB Running: jhnmqgsg.exe; Driver: C:\Users\KamilPC\AppData\Local\Temp\fxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 757fb21b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 757fb346 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 75878ea9 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 757d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 758787a2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 75878978 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 75878698 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 75878a62 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 757efca8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 757f68ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 75878f61 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 75878ac2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 7587865c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 757efd41 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 757fb2dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 75878e24 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1516] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 758785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 757fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 757fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 75878ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 757d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 758787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 75878978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 75878698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 75878a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 757efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 757f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 75878f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 75878ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 7587865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 757efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 757fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 75878e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 758785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 757fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 757fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 75878ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 757d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 758787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 75878978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 75878698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 75878a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 757efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 757f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 75878f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 75878ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 7587865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 757efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 757fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 75878e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\HPNotify.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 758785f1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 757fb21b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 757fb346 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 75878ea9 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 757d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 758787a2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 75878978 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 75878698 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 75878a62 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 757efca8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 757f68ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 75878f61 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 75878ac2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 7587865c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 757efd41 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 757fb2dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 75878e24 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\AppMgr3.16.8591351\1\plugin.exe[2132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 758785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 757fb21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075691419 2 bytes JMP 757fb346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075691431 2 bytes JMP 75878ea9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007569144a 2 bytes CALL 757d48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 758787a2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 75878978 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 75878698 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 75878a62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 757efca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075691555 2 bytes JMP 757f68ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 75878f61 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 75878ac2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 7587865c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 757efd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 757fb2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 75878e24 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\utilCytiWeb.exe[5620] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 758785f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 757fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 757fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 75878ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 757d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 758787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 75878978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 75878698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 75878a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 757efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 757f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 75878f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 75878ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 7587865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 757efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 757fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 75878e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.expext.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 758785f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075691401 2 bytes JMP 757fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075691419 2 bytes JMP 757fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075691431 2 bytes JMP 75878ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007569144a 2 bytes CALL 757d48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756914dd 2 bytes JMP 758787a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756914f5 2 bytes JMP 75878978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007569150d 2 bytes JMP 75878698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075691525 2 bytes JMP 75878a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007569153d 2 bytes JMP 757efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075691555 2 bytes JMP 757f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007569156d 2 bytes JMP 75878f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075691585 2 bytes JMP 75878ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007569159d 2 bytes JMP 7587865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756915b5 2 bytes JMP 757efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756915cd 2 bytes JMP 757fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756916b2 2 bytes JMP 75878e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Cyti Web\bin\CytiWeb.BrowserAdapter.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756916bd 2 bytes JMP 758785f1 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1516] (WindowsProtectManger Service/Fuyu LIMITED)(2015-01-14 19:44:31) 0000000001370000 Process C:\Users\KamilPC\AppData\Local\Temp\Temp1_gm.zip\jhnmqgsg.exe (*** suspicious ***) @ C:\Users\KamilPC\AppData\Local\Temp\Temp1_gm.zip\jhnmqgsg.exe [2928](2015-02-04 11:59:58) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18cf5e131d24 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18cf5e131d60 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18cf5e131d24 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18cf5e131d60 (not active ControlSet) ---- EOF - GMER 2.1 ----