GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-21 19:21:01 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GH10 465,76GB Running: os7717f0.exe; Driver: C:\Users\JS\AppData\Local\Temp\uwldypow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076821401 2 bytes JMP 754deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076821419 2 bytes JMP 754eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076821431 2 bytes JMP 75568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007682144a 2 bytes CALL 754c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768214dd 2 bytes JMP 75567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768214f5 2 bytes JMP 755680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007682150d 2 bytes JMP 75567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076821525 2 bytes JMP 755681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007682153d 2 bytes JMP 754df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076821555 2 bytes JMP 754eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007682156d 2 bytes JMP 755686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076821585 2 bytes JMP 75568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007682159d 2 bytes JMP 75567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768215b5 2 bytes JMP 754df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768215cd 2 bytes JMP 754eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768216b2 2 bytes JMP 75568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768216bd 2 bytes JMP 75567d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076821401 2 bytes JMP 754deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076821419 2 bytes JMP 754eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076821431 2 bytes JMP 75568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007682144a 2 bytes CALL 754c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768214dd 2 bytes JMP 75567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768214f5 2 bytes JMP 755680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007682150d 2 bytes JMP 75567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076821525 2 bytes JMP 755681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007682153d 2 bytes JMP 754df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076821555 2 bytes JMP 754eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007682156d 2 bytes JMP 755686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076821585 2 bytes JMP 75568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007682159d 2 bytes JMP 75567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768215b5 2 bytes JMP 754df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768215cd 2 bytes JMP 754eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768216b2 2 bytes JMP 75568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768216bd 2 bytes JMP 75567d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000738b11a8 2 bytes [8B, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 00000000738b127d 2 bytes CALL 754c14dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000738b13a8 2 bytes [8B, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000738b1422 2 bytes [8B, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[400] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000738b1498 2 bytes [8B, 73] .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076821401 2 bytes JMP 754deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076821419 2 bytes JMP 754eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076821431 2 bytes JMP 75568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007682144a 2 bytes CALL 754c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768214dd 2 bytes JMP 75567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768214f5 2 bytes JMP 755680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007682150d 2 bytes JMP 75567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076821525 2 bytes JMP 755681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007682153d 2 bytes JMP 754df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076821555 2 bytes JMP 754eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007682156d 2 bytes JMP 755686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076821585 2 bytes JMP 75568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007682159d 2 bytes JMP 75567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768215b5 2 bytes JMP 754df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768215cd 2 bytes JMP 754eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768216b2 2 bytes JMP 75568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768216bd 2 bytes JMP 75567d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076821401 2 bytes JMP 754deb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076821419 2 bytes JMP 754eb513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076821431 2 bytes JMP 75568609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007682144a 2 bytes CALL 754c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768214dd 2 bytes JMP 75567efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768214f5 2 bytes JMP 755680d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007682150d 2 bytes JMP 75567df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076821525 2 bytes JMP 755681c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007682153d 2 bytes JMP 754df088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076821555 2 bytes JMP 754eb885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007682156d 2 bytes JMP 755686c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076821585 2 bytes JMP 75568222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007682159d 2 bytes JMP 75567db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768215b5 2 bytes JMP 754df121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768215cd 2 bytes JMP 754eb29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768216b2 2 bytes JMP 75568584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\syswow64\svchost.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768216bd 2 bytes JMP 75567d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000738b11a8 2 bytes [8B, 73] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 00000000738b127d 2 bytes CALL 754c14dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000738b13a8 2 bytes [8B, 73] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000738b1422 2 bytes [8B, 73] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000738b1498 2 bytes [8B, 73] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextCreate + 4 00000000749b1825 2 bytes JMP 751e5e8d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroy + 4 00000000749b1830 2 bytes JMP 751e5ead C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroyAll + 4 00000000749b183b 2 bytes JMP 751e5ecd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dDrawPrimitives2 + 4 00000000749b1846 2 bytes JMP 751e576d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dValidateTextureStageState + 4 00000000749b1851 2 bytes JMP 751e5eed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAddAttachedSurface + 4 00000000749b185c 2 bytes JMP 751e5fcd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAlphaBlt + 4 00000000749b1867 2 bytes JMP 751e5fed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAttachSurface + 4 00000000749b1872 2 bytes JMP 751e600d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBeginMoCompFrame + 4 00000000749b187d 2 bytes JMP 751e602d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBlt + 4 00000000749b1888 2 bytes JMP 751e578d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateD3DBuffer + 4 00000000749b1893 2 bytes JMP 751e604d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateSurface + 4 00000000749b189e 2 bytes JMP 751e580d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdColorControl + 4 00000000749b18a9 2 bytes JMP 751e606d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateD3DBuffer + 4 00000000749b18b4 2 bytes JMP 751e608d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateDirectDrawObject + 4 00000000749b18bf 2 bytes JMP 751b1a12 C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateMoComp + 4 00000000749b18ca 2 bytes JMP 751e60cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurface + 4 00000000749b18d5 2 bytes JMP 751e582d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceEx + 4 00000000749b18e0 2 bytes JMP 751e58ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceObject + 4 00000000749b18eb 2 bytes JMP 751e58cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteDirectDrawObject + 4 00000000749b18f6 2 bytes JMP 751e662d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteSurfaceObject + 4 00000000749b1901 2 bytes JMP 751e57ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyD3DBuffer + 4 00000000749b190c 2 bytes JMP 751e664d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyMoComp + 4 00000000749b1917 2 bytes JMP 751e668d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroySurface + 4 00000000749b1922 2 bytes JMP 751e584d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdEndMoCompFrame + 4 00000000749b192d 2 bytes JMP 751e66ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlip + 4 00000000749b1938 2 bytes JMP 751e66cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlipToGDISurface + 4 00000000749b1943 2 bytes JMP 751e66ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetAvailDriverMemory + 4 00000000749b194e 2 bytes JMP 751e670d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetBltStatus + 4 00000000749b1959 2 bytes JMP 751e672d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDC + 4 00000000749b1964 2 bytes JMP 751e674d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverInfo + 4 00000000749b196f 2 bytes JMP 751e676d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverState + 4 00000000749b197a 2 bytes JMP 751e678d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDxHandle + 4 00000000749b1985 2 bytes JMP 751e67ad C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetFlipStatus + 4 00000000749b1990 2 bytes JMP 751e67cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetInternalMoCompInfo + 4 00000000749b199b 2 bytes JMP 751e67ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompBuffInfo + 4 00000000749b19a6 2 bytes JMP 751e680d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompFormats + 4 00000000749b19b1 2 bytes JMP 751e682d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompGuids + 4 00000000749b19bc 2 bytes JMP 751e684d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetScanLine + 4 00000000749b19c7 2 bytes JMP 751e686d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLock + 4 00000000749b19d2 2 bytes JMP 751e688d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLockD3D + 4 00000000749b19dd 2 bytes JMP 751e58ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryDirectDrawObject + 4 00000000749b19e8 2 bytes JMP 751e68cd C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryMoCompStatus + 4 00000000749b19f3 2 bytes JMP 751e68ed C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReenableDirectDrawObject + 4 00000000749b19fe 2 bytes JMP 751e692b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReleaseDC + 4 00000000749b1a09 2 bytes JMP 751e694b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdRenderMoComp + 4 00000000749b1a14 2 bytes JMP 751e696b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdResetVisrgn + 4 00000000749b1a1f 2 bytes JMP 751e586d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetColorKey + 4 00000000749b1a2a 2 bytes JMP 751e698b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetExclusiveMode + 4 00000000749b1a35 2 bytes JMP 751e69ab C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetGammaRamp + 4 00000000749b1a40 2 bytes JMP 751e69cb C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetOverlayPosition + 4 00000000749b1a4b 2 bytes JMP 751e69eb C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnattachSurface + 4 00000000749b1a56 2 bytes JMP 751e6a0b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlock + 4 00000000749b1a61 2 bytes JMP 751e6a2b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlockD3D + 4 00000000749b1a6c 2 bytes JMP 751e590d C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUpdateOverlay + 4 00000000749b1a77 2 bytes JMP 751e6a4b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 4 00000000749b1a82 2 bytes JMP 751e6a6b C:\Windows\syswow64\GDI32.dll .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe[3536] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 52 00000000749b1ab2 2 bytes JMP 75a7dc75 C:\Windows\syswow64\msvcrt.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076821401 2 bytes JMP 754deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076821419 2 bytes JMP 754eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076821431 2 bytes JMP 75568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007682144a 2 bytes CALL 754c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768214dd 2 bytes JMP 75567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768214f5 2 bytes JMP 755680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007682150d 2 bytes JMP 75567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076821525 2 bytes JMP 755681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007682153d 2 bytes JMP 754df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076821555 2 bytes JMP 754eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007682156d 2 bytes JMP 755686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076821585 2 bytes JMP 75568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007682159d 2 bytes JMP 75567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768215b5 2 bytes JMP 754df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768215cd 2 bytes JMP 754eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768216b2 2 bytes JMP 75568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768216bd 2 bytes JMP 75567d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\syswow64\svchost.exe [3200:3208] 0000000000096a60 Thread C:\Windows\syswow64\svchost.exe [3200:3268] 0000000000092be0 Thread C:\Windows\syswow64\svchost.exe [3200:3180] 00000000000964d0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4732:4860] 000007fefbc02a74 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4732:4868] 000007feeb8fc0b0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4732:5092] 000007feeb869e68 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4732:5096] 000007feeb8fc0b0 ---- EOF - GMER 2.1 ----