GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-21 11:23:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.19.0 465,76GB Running: qwqb1mzh.exe; Driver: C:\Users\admin\AppData\Local\Temp\kfpdrkog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 754fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 754fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 75578f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 754d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 75578832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 75578a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 75578728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 75578af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 754efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 754f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 75578ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 75578b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 755786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 754efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 754fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 75578eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 75578681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 754fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 754fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 75578f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 754d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 75578832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 75578a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 75578728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 75578af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 754efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 754f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 75578ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 75578b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 755786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 754efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 754fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 75578eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1928] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 75578681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 754fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 754fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 75578f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 754d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 75578832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 75578a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 75578728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 75578af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 754efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 754f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 75578ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 75578b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 755786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 754efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 754fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 75578eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 75578681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8769 5 bytes JMP 000000016ca3a899 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000077329ebd 5 bytes JMP 000000016ca58960 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000077330afa 5 bytes JMP 000000016ca5c854 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000077331361 5 bytes JMP 000000016ca6bc41 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000077337849 5 bytes JMP 000000016cc68676 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075356143 5 bytes JMP 000000016d1e9b83 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000757b7e23 5 bytes JMP 000000016cb52690 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\OLEAUT32.DLL!SysFreeString 0000000076c83e59 5 bytes JMP 000000016ca8ea0b .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\OLEAUT32.DLL!VariantClear 0000000076c83eae 5 bytes JMP 000000016caad515 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\OLEAUT32.DLL!SysAllocStringByteLen 0000000076c84731 5 bytes JMP 000000016cb2f04e .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\OLEAUT32.DLL!VariantChangeType 0000000076c85dee 5 bytes JMP 000000016cb3e379 ? C:\Windows\system32\mssprxy.dll [3548] entry point in ".rdata" section 00000000717f71e6 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 754fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 754fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 75578f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 754d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 75578832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 75578a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 75578728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 75578af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 754efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 754f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 75578ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 75578b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 755786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 754efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 754fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 75578eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 75578681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE[3548] C:\Program Files (x86)\Microsoft Office\Office15\outlrpc.dll!MAPIRevokeMoniker@4 + 657 000000007154287c 4 bytes [7B, FC, F9, EB] .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8769 5 bytes JMP 000000016ca3a899 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000077329ebd 5 bytes JMP 000000016ca58960 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000077330afa 5 bytes JMP 000000016ca5c854 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000077331361 5 bytes JMP 000000016ca6bc41 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000077337849 5 bytes JMP 000000016cc68676 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075356143 5 bytes JMP 000000016d1e9b83 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000757b7e23 5 bytes JMP 000000016cb52690 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\OLEAUT32.DLL!SysFreeString 0000000076c83e59 5 bytes JMP 000000016ca8ea0b .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\OLEAUT32.DLL!VariantClear 0000000076c83eae 5 bytes JMP 000000016caad515 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\OLEAUT32.DLL!SysAllocStringByteLen 0000000076c84731 5 bytes JMP 000000016cb2f04e .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\OLEAUT32.DLL!VariantChangeType 0000000076c85dee 5 bytes JMP 000000016cb3e379 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 754fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 754fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 75578f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 754d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 75578832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 75578a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 75578728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 75578af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 754efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 754f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 75578ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 75578b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 755786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 754efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 754fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 75578eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE[4756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 75578681 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [4756] entry point in ".rdata" section 00000000717f71e6 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE!wdGetApplicationObject + 18 0000000001141958 2 bytes [14, 01] .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE!wdGetApplicationObject + 202 0000000001141a10 2 bytes [14, 01] .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE!wdGetApplicationObject + 920 0000000001141cde 2 bytes [14, 01] .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8769 5 bytes JMP 000000016ca3a899 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000077329ebd 5 bytes JMP 000000016ca58960 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000077330afa 5 bytes JMP 000000016ca5c854 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000077331361 5 bytes JMP 000000016ca6bc41 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000077337849 5 bytes JMP 000000016cc68676 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075356143 5 bytes JMP 000000016d1e9b83 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076c83e59 5 bytes JMP 000000016ca8ea0b .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076c83eae 5 bytes JMP 000000016caad515 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076c84731 5 bytes JMP 000000016cb2f04e .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076c85dee 5 bytes JMP 000000016cb3e379 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000757b7e23 5 bytes JMP 000000016cb52690 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bc1401 2 bytes JMP 754fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bc1419 2 bytes JMP 754fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bc1431 2 bytes JMP 75578f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bc144a 2 bytes CALL 754d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bc14dd 2 bytes JMP 75578832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bc14f5 2 bytes JMP 75578a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bc150d 2 bytes JMP 75578728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bc1525 2 bytes JMP 75578af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bc153d 2 bytes JMP 754efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bc1555 2 bytes JMP 754f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bc156d 2 bytes JMP 75578ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bc1585 2 bytes JMP 75578b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bc159d 2 bytes JMP 755786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bc15b5 2 bytes JMP 754efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bc15cd 2 bytes JMP 754fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bc16b2 2 bytes JMP 75578eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bc16bd 2 bytes JMP 75578681 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [4060] entry point in ".rdata" section 00000000717f71e6 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\spoolsv.exe[1628] @ C:\Windows\System32\localspl.dll[KERNEL32.dll!QueryDosDeviceW] [180003f80] C:\Windows\System32\WilCom64.dll ---- Processes - GMER 2.1 ---- Library c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{884C6937-D24C-4258-8FE8-39EB9C28C027}\offreg.960.dll (*** suspicious ***) @ c:\Program Files\Microsoft Security Client\MsMpEng.exe [960](2015-09-21 05:45:10) 000007fef9e80000 ---- EOF - GMER 2.1 ----