GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-19 19:39:40 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GH10 465,76GB Running: os7717f0.exe; Driver: C:\Users\JS\AppData\Local\Temp\uwldypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077071401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077071419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077071431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007707144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770714dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770714f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007707150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077071525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007707153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077071555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007707156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077071585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007707159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770715b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770715cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770716b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770716bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077071401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077071419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077071431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007707144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770714dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770714f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007707150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077071525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007707153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077071555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007707156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077071585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007707159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770715b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770715cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770716b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770716bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000741211a8 2 bytes [12, 74] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007412127d 2 bytes CALL 75dc14dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000741213a8 2 bytes [12, 74] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074121422 2 bytes [12, 74] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074121498 2 bytes [12, 74] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextCreate + 4 0000000070cc1825 2 bytes JMP 75a65e8d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroy + 4 0000000070cc1830 2 bytes JMP 75a65ead C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroyAll + 4 0000000070cc183b 2 bytes JMP 75a65ecd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dDrawPrimitives2 + 4 0000000070cc1846 2 bytes JMP 75a6576d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dValidateTextureStageState + 4 0000000070cc1851 2 bytes JMP 75a65eed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAddAttachedSurface + 4 0000000070cc185c 2 bytes JMP 75a65fcd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAlphaBlt + 4 0000000070cc1867 2 bytes JMP 75a65fed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAttachSurface + 4 0000000070cc1872 2 bytes JMP 75a6600d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBeginMoCompFrame + 4 0000000070cc187d 2 bytes JMP 75a6602d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBlt + 4 0000000070cc1888 2 bytes JMP 75a6578d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateD3DBuffer + 4 0000000070cc1893 2 bytes JMP 75a6604d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateSurface + 4 0000000070cc189e 2 bytes JMP 75a6580d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdColorControl + 4 0000000070cc18a9 2 bytes JMP 75a6606d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateD3DBuffer + 4 0000000070cc18b4 2 bytes JMP 75a6608d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateDirectDrawObject + 4 0000000070cc18bf 2 bytes JMP 75a31a12 C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateMoComp + 4 0000000070cc18ca 2 bytes JMP 75a660cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurface + 4 0000000070cc18d5 2 bytes JMP 75a6582d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceEx + 4 0000000070cc18e0 2 bytes JMP 75a658ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceObject + 4 0000000070cc18eb 2 bytes JMP 75a658cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteDirectDrawObject + 4 0000000070cc18f6 2 bytes JMP 75a6662d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteSurfaceObject + 4 0000000070cc1901 2 bytes JMP 75a657ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyD3DBuffer + 4 0000000070cc190c 2 bytes JMP 75a6664d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyMoComp + 4 0000000070cc1917 2 bytes JMP 75a6668d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroySurface + 4 0000000070cc1922 2 bytes JMP 75a6584d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdEndMoCompFrame + 4 0000000070cc192d 2 bytes JMP 75a666ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlip + 4 0000000070cc1938 2 bytes JMP 75a666cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlipToGDISurface + 4 0000000070cc1943 2 bytes JMP 75a666ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetAvailDriverMemory + 4 0000000070cc194e 2 bytes JMP 75a6670d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetBltStatus + 4 0000000070cc1959 2 bytes JMP 75a6672d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDC + 4 0000000070cc1964 2 bytes JMP 75a6674d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverInfo + 4 0000000070cc196f 2 bytes JMP 75a6676d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverState + 4 0000000070cc197a 2 bytes JMP 75a6678d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDxHandle + 4 0000000070cc1985 2 bytes JMP 75a667ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetFlipStatus + 4 0000000070cc1990 2 bytes JMP 75a667cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetInternalMoCompInfo + 4 0000000070cc199b 2 bytes JMP 75a667ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompBuffInfo + 4 0000000070cc19a6 2 bytes JMP 75a6680d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompFormats + 4 0000000070cc19b1 2 bytes JMP 75a6682d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompGuids + 4 0000000070cc19bc 2 bytes JMP 75a6684d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetScanLine + 4 0000000070cc19c7 2 bytes JMP 75a6686d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLock + 4 0000000070cc19d2 2 bytes JMP 75a6688d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLockD3D + 4 0000000070cc19dd 2 bytes JMP 75a658ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryDirectDrawObject + 4 0000000070cc19e8 2 bytes JMP 75a668cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryMoCompStatus + 4 0000000070cc19f3 2 bytes JMP 75a668ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReenableDirectDrawObject + 4 0000000070cc19fe 2 bytes JMP 75a6692b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReleaseDC + 4 0000000070cc1a09 2 bytes JMP 75a6694b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdRenderMoComp + 4 0000000070cc1a14 2 bytes JMP 75a6696b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdResetVisrgn + 4 0000000070cc1a1f 2 bytes JMP 75a6586d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetColorKey + 4 0000000070cc1a2a 2 bytes JMP 75a6698b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetExclusiveMode + 4 0000000070cc1a35 2 bytes JMP 75a669ab C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetGammaRamp + 4 0000000070cc1a40 2 bytes JMP 75a669cb C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetOverlayPosition + 4 0000000070cc1a4b 2 bytes JMP 75a669eb C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnattachSurface + 4 0000000070cc1a56 2 bytes JMP 75a66a0b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlock + 4 0000000070cc1a61 2 bytes JMP 75a66a2b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlockD3D + 4 0000000070cc1a6c 2 bytes JMP 75a6590d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUpdateOverlay + 4 0000000070cc1a77 2 bytes JMP 75a66a4b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 4 0000000070cc1a82 2 bytes JMP 75a66a6b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3428] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 52 0000000070cc1ab2 2 bytes JMP 761edc75 C:\Windows\syswow64\msvcrt.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770bfbe0 5 bytes JMP 00000001023f890b .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077071401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077071419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077071431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007707144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770714dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770714f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007707150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077071525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007707153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077071555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007707156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077071585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007707159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770715b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770715cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770716b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770716bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770bfbe0 5 bytes JMP 0000000101e0890b .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077071401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077071419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077071431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007707144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770714dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770714f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007707150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077071525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007707153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077071555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007707156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077071585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007707159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770715b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770715cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770716b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770716bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770bfbe0 5 bytes JMP 000000010258890b .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077071401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077071419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077071431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007707144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770714dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770714f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007707150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077071525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007707153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077071555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007707156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077071585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007707159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770715b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770715cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770716b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\msiexec.exe[4292] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770716bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\msiexec.exe [4276:4364] 00000000023f8988 Thread C:\Windows\SysWOW64\msiexec.exe [4276:4372] 00000000023f5ec1 Thread C:\Windows\SysWOW64\msiexec.exe [4272:4356] 0000000001e08988 Thread C:\Windows\SysWOW64\msiexec.exe [4292:4360] 0000000002588988 ---- Processes - GMER 2.1 ---- Library \\?\C:\Windows\system32\ws2_32.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4276] (Biblioteka DLL 32-bitowej wersji usługi Windows Socket 2.0/Microsoft Corporation)(2009-07-13 23:21:39) 0000000076610000 Library \\?\C:\Windows\system32\winhttp.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4276] (Windows HTTP Services/Microsoft Corporation)(2009-07-14 00:11:19 00000000720b0000 Library \\?\C:\Windows\system32\crypt32.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4276] (Crypto API32/Microsoft Corporation)(2009-07-13 23:50:20) 0000000075eb0000 Library \\?\C:\Windows\system32\dnsapi.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4276] (DNS Client API DLL/Microsoft Corporation)(2009-07-13 23:21:21) 00000000728c0000 Library \\?\C:\Windows\system32\ws2_32.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4272] (Biblioteka DLL 32-bitowej wersji usługi Windows Socket 2.0/Microsoft Corporation)(2009-07-13 23:21:39) 0000000076610000 Library \\?\C:\Windows\system32\winhttp.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4272] (Windows HTTP Services/Microsoft Corporation)(2009-07-14 00:11:19 00000000720b0000 Library \\?\C:\Windows\system32\crypt32.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4272] (Crypto API32/Microsoft Corporation)(2009-07-13 23:50:20) 0000000075eb0000 Library \\?\C:\Windows\system32\dnsapi.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4272] (DNS Client API DLL/Microsoft Corporation)(2009-07-13 23:21:21) 00000000728c0000 Library \\?\C:\Windows\system32\ws2_32.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4292] (Biblioteka DLL 32-bitowej wersji usługi Windows Socket 2.0/Microsoft Corporation)(2009-07-13 23:21:39) 0000000076610000 Library \\?\C:\Windows\system32\winhttp.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4292] (Windows HTTP Services/Microsoft Corporation)(2009-07-14 00:11:19 00000000720b0000 Library \\?\C:\Windows\system32\crypt32.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4292] (Crypto API32/Microsoft Corporation)(2009-07-13 23:50:20) 0000000075eb0000 Library \\?\C:\Windows\system32\dnsapi.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4292] (DNS Client API DLL/Microsoft Corporation)(2009-07-13 23:21:21) 00000000728c0000 ---- EOF - GMER 2.1 ----