GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-11 21:56:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: thoo0hdj.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\kwrdrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000759a2ab1 5 bytes JMP 000000010037f63e .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075981401 2 bytes JMP 7771b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075981419 2 bytes JMP 7771b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075981431 2 bytes JMP 77798f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007598144a 2 bytes CALL 776f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759814dd 2 bytes JMP 77798822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759814f5 2 bytes JMP 777989f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007598150d 2 bytes JMP 77798718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075981525 2 bytes JMP 77798ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007598153d 2 bytes JMP 7770fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075981555 2 bytes JMP 777168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007598156d 2 bytes JMP 77798fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075981585 2 bytes JMP 77798b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007598159d 2 bytes JMP 777986dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759815b5 2 bytes JMP 7770fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759815cd 2 bytes JMP 7771b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759816b2 2 bytes JMP 77798ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759816bd 2 bytes JMP 77798671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075981401 2 bytes JMP 7771b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075981419 2 bytes JMP 7771b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075981431 2 bytes JMP 77798f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007598144a 2 bytes CALL 776f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759814dd 2 bytes JMP 77798822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759814f5 2 bytes JMP 777989f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007598150d 2 bytes JMP 77798718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075981525 2 bytes JMP 77798ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007598153d 2 bytes JMP 7770fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075981555 2 bytes JMP 777168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007598156d 2 bytes JMP 77798fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075981585 2 bytes JMP 77798b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007598159d 2 bytes JMP 777986dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759815b5 2 bytes JMP 7770fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759815cd 2 bytes JMP 7771b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759816b2 2 bytes JMP 77798ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[1092] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759816bd 2 bytes JMP 77798671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075981401 2 bytes JMP 7771b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075981419 2 bytes JMP 7771b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075981431 2 bytes JMP 77798f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007598144a 2 bytes CALL 776f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759814dd 2 bytes JMP 77798822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759814f5 2 bytes JMP 777989f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007598150d 2 bytes JMP 77798718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075981525 2 bytes JMP 77798ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007598153d 2 bytes JMP 7770fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075981555 2 bytes JMP 777168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007598156d 2 bytes JMP 77798fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075981585 2 bytes JMP 77798b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007598159d 2 bytes JMP 777986dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759815b5 2 bytes JMP 7770fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759815cd 2 bytes JMP 7771b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759816b2 2 bytes JMP 77798ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[3284] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759816bd 2 bytes JMP 77798671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075981401 2 bytes JMP 7771b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075981419 2 bytes JMP 7771b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075981431 2 bytes JMP 77798f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007598144a 2 bytes CALL 776f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759814dd 2 bytes JMP 77798822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759814f5 2 bytes JMP 777989f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007598150d 2 bytes JMP 77798718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075981525 2 bytes JMP 77798ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007598153d 2 bytes JMP 7770fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075981555 2 bytes JMP 777168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007598156d 2 bytes JMP 77798fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075981585 2 bytes JMP 77798b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007598159d 2 bytes JMP 777986dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759815b5 2 bytes JMP 7770fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759815cd 2 bytes JMP 7771b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759816b2 2 bytes JMP 77798ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759816bd 2 bytes JMP 77798671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000747017fa 2 bytes CALL 776f11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074701860 2 bytes CALL 776f11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074701942 2 bytes JMP 77247089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007470194d 2 bytes JMP 7724cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075981401 2 bytes JMP 7771b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075981419 2 bytes JMP 7771b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075981431 2 bytes JMP 77798f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007598144a 2 bytes CALL 776f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759814dd 2 bytes JMP 77798822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759814f5 2 bytes JMP 777989f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007598150d 2 bytes JMP 77798718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075981525 2 bytes JMP 77798ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007598153d 2 bytes JMP 7770fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075981555 2 bytes JMP 777168ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007598156d 2 bytes JMP 77798fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075981585 2 bytes JMP 77798b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007598159d 2 bytes JMP 777986dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759815b5 2 bytes JMP 7770fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759815cd 2 bytes JMP 7771b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759816b2 2 bytes JMP 77798ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759816bd 2 bytes JMP 77798671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075981401 2 bytes JMP 7771b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075981419 2 bytes JMP 7771b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075981431 2 bytes JMP 77798f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007598144a 2 bytes CALL 776f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759814dd 2 bytes JMP 77798822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759814f5 2 bytes JMP 777989f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007598150d 2 bytes JMP 77798718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075981525 2 bytes JMP 77798ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007598153d 2 bytes JMP 7770fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075981555 2 bytes JMP 777168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007598156d 2 bytes JMP 77798fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075981585 2 bytes JMP 77798b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007598159d 2 bytes JMP 777986dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759815b5 2 bytes JMP 7770fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759815cd 2 bytes JMP 7771b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759816b2 2 bytes JMP 77798ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759816bd 2 bytes JMP 77798671 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1624] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002370] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1624] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [100034e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1624] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3E 0xFF 0x8B 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEA 0x60 0xDB 0x3B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3E 0xFF 0x8B 0x17 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEA 0x60 0xDB 0x3B ... ---- EOF - GMER 2.1 ----