GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-05 05:58:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD2500AAKX-753CA1 rev.19.01H19 232,89GB Running: jhnmqgsg.exe; Driver: C:\Users\JARO\AppData\Local\Temp\kwdiypog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff8800533fd8c 12 bytes {MOV RAX, 0xfffffa800674e2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp[1756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Edu App\bin\utilEduApp.exe[2036] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\JARO\AppData\Local\gmsd_pl_125\upgmsd_pl_125.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3092] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.expext.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074de1401 2 bytes JMP 7564b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074de1419 2 bytes JMP 7564b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074de1431 2 bytes JMP 756c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074de144a 2 bytes CALL 7562489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074de14dd 2 bytes JMP 756c8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074de14f5 2 bytes JMP 756c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074de150d 2 bytes JMP 756c8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074de1525 2 bytes JMP 756c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074de153d 2 bytes JMP 7563fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074de1555 2 bytes JMP 756468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074de156d 2 bytes JMP 756c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074de1585 2 bytes JMP 756c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074de159d 2 bytes JMP 756c86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074de15b5 2 bytes JMP 7563fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074de15cd 2 bytes JMP 7564b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074de16b2 2 bytes JMP 756c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Edu App\bin\EduApp.BrowserAdapter.exe[3472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074de16bd 2 bytes JMP 756c8671 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b4f1c] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b4cc0] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b569c] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b5a98] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b58f4] \SystemRoot\System32\Drivers\sptd.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80053412c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80053412c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80053412c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80053412c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80053412c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80053412c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80053412c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80053412c0 Device \FileSystem\Ntfs \Ntfs fffffa80053452c0 Device \FileSystem\fastfat \Fat fffffa800778a2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80067622c0 Device \Driver\USBSTOR \Device\00000078 fffffa80065852c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80067342c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80067622c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80067342c0 Device \Driver\cdrom \Device\CdRom0 fffffa800650a2c0 Device \Driver\USBSTOR \Device\0000006f fffffa80065852c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa80067342c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80067342c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80067342c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80067342c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80067622c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80067342c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80067622c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80067342c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1BC6FA4E-8161-461E-A09B-8DF55A7C34C2} fffffa80065972c0 Device \Driver\USBSTOR \Device\0000006d fffffa80065852c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80065972c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa80067342c0 Device \Driver\USBSTOR \Device\00000077 fffffa80065852c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80067342c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80067342c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80053412c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80067342c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80053412c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80053412c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80053412c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80053412c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80053412c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80053412c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80053412c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062c9510] fffffa80062c9510 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8005e31680] fffffa8005e31680 Trace \Driver\atapi[0xfffffa8005e5a860] -> IRP_MJ_CREATE -> 0xfffffa80053412c0 fffffa80053412c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1752:3268] 000007fef6a39688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3828:2412] 000007fefb2d2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3828:3688] 000007fef92f5124 ---- Processes - GMER 2.1 ---- Process C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\nsi4FE3.tmp (*** suspicious ***) @ C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\nsi4FE3.tmp [1692](2015-06-05 02:22:45) 0000000001210000 Process C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp (*** suspicious ***) @ C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\jnsd5F88.tmp [1756](2015-05-24 14:02:35) 0000000000110000 Process C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\hnsd74DE.tmp (*** suspicious ***) @ C:\Users\JARO\AppData\Roaming\4C4C4544-1432476136-4C10-8050-C7C04F34354A\hnsd74DE.tmp [1544](2015-05-24 14:02:40) 0000000001070000 Library C:\Users\JARO\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2684] (GG drive menu/GG Network S.A.)(2013- 000000005ff80000 ---- EOF - GMER 2.1 ----