GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-20 23:20:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SanDisk_ rev.X310 223,57GB Running: xhoh6b7t.exe; Driver: C:\Users\user\AppData\Local\Temp\uxldipow.sys ---- User code sections - GMER 2.1 ---- .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2632] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5612] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[6100] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5864] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugincontainer.exe[6764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\c716fd70-872c-4aaa-a07f-e248365d7f56\updater.exe[6816] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5744] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ef1401 2 bytes JMP 762cb1ef C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ef1419 2 bytes JMP 762cb31a C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ef1431 2 bytes JMP 76348f09 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ef144a 2 bytes CALL 762a4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ef14dd 2 bytes JMP 76348802 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ef14f5 2 bytes JMP 763489d8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ef150d 2 bytes JMP 763486f8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ef1525 2 bytes JMP 76348ac2 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ef153d 2 bytes JMP 762bfc78 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ef1555 2 bytes JMP 762c68bf C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ef156d 2 bytes JMP 76348fc1 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ef1585 2 bytes JMP 76348b22 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ef159d 2 bytes JMP 763486bc C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ef15b5 2 bytes JMP 762bfd11 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ef15cd 2 bytes JMP 762cb2b0 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ef16b2 2 bytes JMP 76348e84 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\plugin.exe[5044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ef16bd 2 bytes JMP 76348651 C:\windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0a818 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0fdcf Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0fdcf@4c21d0e4ddcc 0x26 0x91 0x42 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0fde7 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0a818 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0fdcf (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0fdcf@4c21d0e4ddcc 0x26 0x91 0x42 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0fde7 (not active ControlSet) ---- EOF - GMER 2.1 ----