GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-11 16:09:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.CXM0 476,94GB Running: tcsl2ckb.exe; Driver: C:\Users\wojtek\AppData\Local\Temp\pgldapod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cba400 7 bytes JMP 000000016fff0228 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076cc3f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076cdffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076cef2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d19a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d294c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d487e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcec2db0 5 bytes JMP 000007fffceb0180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcec37d0 7 bytes JMP 000007fffceb00d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcec8ef0 6 bytes JMP 000007fffceb0148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcedaf60 5 bytes JMP 000007fffceb0110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff0689f0 8 bytes JMP 000007fffceb01f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1656] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff06be50 8 bytes JMP 000007fffceb01b8 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074d91d29 5 bytes JMP 0000000173144580 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074d91dd7 5 bytes JMP 0000000173144540 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074d92ab1 5 bytes JMP 0000000173144680 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074d92d17 5 bytes JMP 0000000173144360 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000749b8a29 5 bytes JMP 0000000173143a40 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000749c4572 5 bytes JMP 00000001731442e0 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000749de567 5 bytes JMP 0000000173144350 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074a007d7 5 bytes JMP 0000000173143850 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074a17a5c 5 bytes JMP 00000001731442d0 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075efe96b 5 bytes JMP 0000000173143b60 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075efeba5 5 bytes JMP 0000000173143b80 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076551401 2 bytes JMP 7516b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076551419 2 bytes JMP 7516b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076551431 2 bytes JMP 751e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007655144a 2 bytes CALL 751448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765514dd 2 bytes JMP 751e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765514f5 2 bytes JMP 751e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007655150d 2 bytes JMP 751e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076551525 2 bytes JMP 751e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007655153d 2 bytes JMP 7515fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076551555 2 bytes JMP 751668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007655156d 2 bytes JMP 751e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076551585 2 bytes JMP 751e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007655159d 2 bytes JMP 751e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765515b5 2 bytes JMP 7515fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765515cd 2 bytes JMP 7516b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765516b2 2 bytes JMP 751e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765516bd 2 bytes JMP 751e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074af5ea5 5 bytes JMP 0000000173143a00 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe[1860] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074b29d0b 5 bytes JMP 0000000173143990 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cba400 7 bytes JMP 000000016fff0228 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076cc3f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076cdffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076cef2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d19a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d294c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d487e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcec2db0 5 bytes JMP 000007fffceb0180 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcec37d0 7 bytes JMP 000007fffceb00d8 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcec8ef0 6 bytes JMP 000007fffceb0148 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcedaf60 5 bytes JMP 000007fffceb0110 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff0689f0 8 bytes JMP 000007fffceb01f0 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[2072] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff06be50 8 bytes JMP 000007fffceb01b8 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075141f0e 7 bytes JMP 0000000173144b10 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075145bad 7 bytes JMP 00000001731454b0 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075151409 7 bytes JMP 0000000173144e50 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007515ea45 7 bytes JMP 0000000173144b00 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000751e8e24 7 bytes JMP 00000001731445c0 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000751e8ea9 5 bytes JMP 0000000173144670 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000751e91ff 5 bytes JMP 00000001731445d0 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074d91d29 5 bytes JMP 0000000173144580 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074d91dd7 5 bytes JMP 0000000173144540 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074d92ab1 5 bytes JMP 0000000173144680 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074d92d17 5 bytes JMP 0000000173144360 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076551401 2 bytes JMP 7516b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076551419 2 bytes JMP 7516b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076551431 2 bytes JMP 751e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007655144a 2 bytes CALL 751448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765514dd 2 bytes JMP 751e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765514f5 2 bytes JMP 751e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007655150d 2 bytes JMP 751e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076551525 2 bytes JMP 751e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007655153d 2 bytes JMP 7515fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076551555 2 bytes JMP 751668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007655156d 2 bytes JMP 751e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076551585 2 bytes JMP 751e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007655159d 2 bytes JMP 751e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765515b5 2 bytes JMP 7515fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765515cd 2 bytes JMP 7516b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765516b2 2 bytes JMP 751e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765516bd 2 bytes JMP 751e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000749b8a29 5 bytes JMP 0000000173143a40 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000749c4572 5 bytes JMP 00000001731442e0 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000749de567 5 bytes JMP 0000000173144350 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074a007d7 5 bytes JMP 0000000173143850 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074a17a5c 5 bytes JMP 00000001731442d0 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075efe96b 5 bytes JMP 0000000173143b60 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075efeba5 5 bytes JMP 0000000173143b80 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074af5ea5 5 bytes JMP 0000000173143a00 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[2584] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074b29d0b 5 bytes JMP 0000000173143990 .text C:\Windows\SysWOW64\ntdll.dll[2680] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074d91d29 5 bytes JMP 0000000173144580 .text C:\Windows\SysWOW64\ntdll.dll[2680] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074d91dd7 5 bytes JMP 0000000173144540 .text C:\Windows\SysWOW64\ntdll.dll[2680] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074d92ab1 5 bytes JMP 0000000173144680 .text C:\Windows\SysWOW64\ntdll.dll[2680] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074d92d17 5 bytes JMP 0000000173144360 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076551401 2 bytes JMP 7516b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076551419 2 bytes JMP 7516b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076551431 2 bytes JMP 751e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007655144a 2 bytes CALL 751448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765514dd 2 bytes JMP 751e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765514f5 2 bytes JMP 751e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007655150d 2 bytes JMP 751e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076551525 2 bytes JMP 751e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007655153d 2 bytes JMP 7515fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076551555 2 bytes JMP 751668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007655156d 2 bytes JMP 751e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076551585 2 bytes JMP 751e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007655159d 2 bytes JMP 751e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765515b5 2 bytes JMP 7515fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765515cd 2 bytes JMP 7516b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765516b2 2 bytes JMP 751e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765516bd 2 bytes JMP 751e85f1 C:\Windows\syswow64\kernel32.dll .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075141f0e 7 bytes JMP 0000000173144b10 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075145bad 7 bytes JMP 00000001731454b0 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075151409 7 bytes JMP 0000000173144e50 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007515ea45 7 bytes JMP 0000000173144b00 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000751e8e24 7 bytes JMP 00000001731445c0 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000751e8ea9 5 bytes JMP 0000000173144670 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000751e91ff 5 bytes JMP 00000001731445d0 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074d91d29 5 bytes JMP 0000000173144580 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074d91dd7 5 bytes JMP 0000000173144540 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074d92ab1 5 bytes JMP 0000000173144680 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074d92d17 5 bytes JMP 0000000173144360 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075efe96b 5 bytes JMP 0000000173143b60 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075efeba5 5 bytes JMP 0000000173143b80 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000749b8a29 5 bytes JMP 0000000173143a40 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000749c4572 5 bytes JMP 00000001731442e0 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000749de567 5 bytes JMP 0000000173144350 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074a007d7 5 bytes JMP 0000000173143850 .text E:\Download\150415_Win7_FixItPC\GMER 2.1.19357\tcsl2ckb.exe[3024] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074a17a5c 5 bytes JMP 00000001731442d0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [2680:2684] 0000000061ff5b52 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf444d9 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885dd4d75 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885dd4d75@3859f9fa7c84 0xDA 0x5E 0x25 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885dd4d75@34fcef7d4eae 0x91 0x63 0x45 0xD7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885dd4d75@0023b4a57d8e 0x6B 0x35 0x91 0x1C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf444d9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885dd4d75 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885dd4d75@3859f9fa7c84 0xDA 0x5E 0x25 0x42 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885dd4d75@34fcef7d4eae 0x91 0x63 0x45 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885dd4d75@0023b4a57d8e 0x6B 0x35 0x91 0x1C ... Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\889ffaf444d9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\c01885dd4d75 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\c01885dd4d75@0023b4a57d8e 0xFD 0x0C 0xE3 0x02 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Download\Win7_zapamiętywania ustawień folderów KB813711\Fix it portable\Launch Fix\xa0it.exe 1 ---- EOF - GMER 2.1 ----