GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-22 20:49:20 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\0000006d ATA_____ rev.0001 931,51GB Running: 7fs3jk7t.exe; Driver: C:\Users\Grzesiek\AppData\Local\Temp\uwkdruob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7660eb26 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7661b513 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 76698609 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 765f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 76697efe C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 766980d8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 76697df4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 766981c2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7660f088 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7661b885 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 766986c1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 76698222 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 76697db8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7660f121 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7661b29f C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 76698584 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 76697d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7660eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7661b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 76698609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 765f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 76697efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 766980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 76697df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 766981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7660f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7661b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 766986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 76698222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 76697db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7660f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7661b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 76698584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 76697d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7660eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7661b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 76698609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 765f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 76697efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 766980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 76697df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 766981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7660f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7661b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 766986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 76698222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 76697db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7660f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7661b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 76698584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 76697d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000738311a8 2 bytes [83, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007383127d 2 bytes CALL 765f14dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000738313a8 2 bytes [83, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000073831422 2 bytes [83, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3584] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000073831498 2 bytes [83, 73] .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7660eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7661b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 76698609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 765f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 76697efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 766980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 76697df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 766981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7660f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7661b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 766986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 76698222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 76697db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7660f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7661b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 76698584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 76697d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7660eb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7661b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 76698609 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 765f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 76697efe C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 766980d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 76697df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 766981c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7660f088 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7661b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 766986c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 76698222 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 76697db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7660f121 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7661b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 76698584 C:\Windows\syswow64\kernel32.dll .text C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 76697d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076111401 2 bytes JMP 7660eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076111419 2 bytes JMP 7661b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076111431 2 bytes JMP 76698609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007611144a 2 bytes CALL 765f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761114dd 2 bytes JMP 76697efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761114f5 2 bytes JMP 766980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007611150d 2 bytes JMP 76697df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076111525 2 bytes JMP 766981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007611153d 2 bytes JMP 7660f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076111555 2 bytes JMP 7661b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007611156d 2 bytes JMP 766986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076111585 2 bytes JMP 76698222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007611159d 2 bytes JMP 76697db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761115b5 2 bytes JMP 7660f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761115cd 2 bytes JMP 7661b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761116b2 2 bytes JMP 76698584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761116bd 2 bytes JMP 76697d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3256:6088] 000007fef53b9688 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1432] (Windows SysTool Svr/SysTool PasSame LIMITED)(2014-12-27 19:19:14) 0000000000b40000 Process C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe (*** suspicious ***) @ C:\Users\Grzesiek\AppData\Roaming\uTorrent\uTorrent.exe [2204] (µTorrent/BitTorrent Inc.)(2014-12-27 19:19:51) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689da1d533 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689da1d533@30766f2b6962 0x8E 0x96 0xEB 0x2C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689da1d533 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689da1d533@30766f2b6962 0x8E 0x96 0xEB 0x2C ... ---- EOF - GMER 2.1 ----