GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-31 16:16:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e WDC_____ rev.03.0 931,51GB Running: hljzutyd.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\pwlirpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000759a1efe 7 bytes JMP 00000001743f4b10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000759a5b9d 7 bytes JMP 00000001743f54b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000759b13f9 7 bytes JMP 00000001743f4e50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000759bea45 7 bytes JMP 00000001743f4b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075a48f4c 7 bytes JMP 00000001743f45c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075a48fd1 5 bytes JMP 00000001743f4670 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075a49327 5 bytes JMP 00000001743f45d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b21d29 5 bytes JMP 00000001743f4580 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076b21dd7 5 bytes JMP 00000001743f4540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b22ab1 5 bytes JMP 00000001010af4f2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b22d1d 5 bytes JMP 00000001743f4360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076a28a29 5 bytes JMP 00000001743f3a40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076a34572 5 bytes JMP 00000001743f42e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076a4e567 5 bytes JMP 00000001743f4350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076a707d7 5 bytes JMP 00000001743f3850 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076a87a5c 5 bytes JMP 00000001743f42d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007686d2b4 5 bytes JMP 00000001743f3b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007686d4ee 5 bytes JMP 00000001743f3b80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075cd5ea5 5 bytes JMP 00000001743f3a00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3720] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d09d0b 5 bytes JMP 00000001743f3990 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076261401 2 bytes JMP 759cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076261419 2 bytes JMP 759cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076261431 2 bytes JMP 75a48fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007626144a 2 bytes CALL 759a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762614dd 2 bytes JMP 75a488c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762614f5 2 bytes JMP 75a48aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007626150d 2 bytes JMP 75a487ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076261525 2 bytes JMP 75a48b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007626153d 2 bytes JMP 759bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076261555 2 bytes JMP 759c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007626156d 2 bytes JMP 75a49089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076261585 2 bytes JMP 75a48bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007626159d 2 bytes JMP 75a4877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762615b5 2 bytes JMP 759bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762615cd 2 bytes JMP 759cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762616b2 2 bytes JMP 75a48f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762616bd 2 bytes JMP 75a48713 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000759a1efe 7 bytes JMP 00000001743f4b10 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000759a5b9d 7 bytes JMP 00000001743f54b0 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000759b13f9 7 bytes JMP 00000001743f4e50 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000759bea45 7 bytes JMP 00000001743f4b00 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075a48f4c 7 bytes JMP 00000001743f45c0 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075a48fd1 5 bytes JMP 00000001743f4670 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075a49327 5 bytes JMP 00000001743f45d0 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b21d29 5 bytes JMP 00000001743f4580 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076b21dd7 5 bytes JMP 00000001743f4540 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b22ab1 5 bytes JMP 00000001743f4680 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b22d1d 5 bytes JMP 00000001743f4360 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007686d2b4 5 bytes JMP 00000001743f3b60 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007686d4ee 5 bytes JMP 00000001743f3b80 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076a28a29 5 bytes JMP 00000001743f3a40 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076a34572 5 bytes JMP 00000001743f42e0 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076a4e567 5 bytes JMP 00000001743f4350 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076a707d7 5 bytes JMP 00000001743f3850 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076a87a5c 5 bytes JMP 00000001743f42d0 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075cd5ea5 5 bytes JMP 00000001743f3a00 .text C:\Users\Lenovo\AppData\Local\Microsoft\BingSvc\BingSvc.exe[4624] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d09d0b 5 bytes JMP 00000001743f3990 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000759a1efe 7 bytes JMP 00000001743f4b10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000759a5b9d 7 bytes JMP 00000001743f54b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000759b13f9 7 bytes JMP 00000001743f4e50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000759bea45 7 bytes JMP 00000001743f4b00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075a48f4c 7 bytes JMP 00000001743f45c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075a48fd1 5 bytes JMP 00000001743f4670 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075a49327 5 bytes JMP 00000001743f45d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b21d29 5 bytes JMP 00000001743f4580 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076b21dd7 5 bytes JMP 00000001743f4540 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b22ab1 5 bytes JMP 00000001743f4680 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b22d1d 5 bytes JMP 00000001743f4360 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007686d2b4 5 bytes JMP 00000001743f3b60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007686d4ee 5 bytes JMP 00000001743f3b80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076a28a29 5 bytes JMP 00000001743f3a40 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076a34572 5 bytes JMP 00000001743f42e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076a4e567 5 bytes JMP 00000001743f4350 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076a707d7 5 bytes JMP 00000001743f3850 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076a87a5c 5 bytes JMP 00000001743f42d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075cd5ea5 5 bytes JMP 00000001743f3a00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3956] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d09d0b 5 bytes JMP 00000001743f3990 .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076261401 2 bytes JMP 759cb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076261419 2 bytes JMP 759cb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076261431 2 bytes JMP 75a48fd1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007626144a 2 bytes CALL 759a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762614dd 2 bytes JMP 75a488c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762614f5 2 bytes JMP 75a48aa0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007626150d 2 bytes JMP 75a487ba C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076261525 2 bytes JMP 75a48b8a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007626153d 2 bytes JMP 759bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076261555 2 bytes JMP 759c68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007626156d 2 bytes JMP 75a49089 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076261585 2 bytes JMP 75a48bea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007626159d 2 bytes JMP 75a4877e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762615b5 2 bytes JMP 759bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762615cd 2 bytes JMP 759cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762616b2 2 bytes JMP 75a48f4c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762616bd 2 bytes JMP 75a48713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 00000000759a1efe 7 bytes JMP 00000001743f4b10 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 00000000759a5b9d 7 bytes JMP 00000001743f54b0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 00000000759b13f9 7 bytes JMP 00000001743f4e50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 00000000759bea45 7 bytes JMP 00000001743f4b00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000075a48f4c 7 bytes JMP 00000001743f45c0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075a48fd1 5 bytes JMP 00000001743f4670 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075a49327 5 bytes JMP 00000001743f45d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b21d29 5 bytes JMP 00000001743f4580 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076b21dd7 5 bytes JMP 00000001743f4540 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b22ab1 5 bytes JMP 00000001743f4680 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b22d1d 5 bytes JMP 00000001743f4360 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076a28a29 5 bytes JMP 00000001743f3a40 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076a34572 5 bytes JMP 00000001743f42e0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076a4e567 5 bytes JMP 00000001743f4350 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076a707d7 5 bytes JMP 00000001743f3850 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076a87a5c 5 bytes JMP 00000001743f42d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007686d2b4 5 bytes JMP 00000001743f3b60 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007686d4ee 5 bytes JMP 00000001743f3b80 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075cd5ea5 5 bytes JMP 00000001743f3a00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5012] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075d09d0b 5 bytes JMP 00000001743f3990 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000759a1efe 7 bytes JMP 00000001743f4b10 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000759a5b9d 7 bytes JMP 00000001743f54b0 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000759b13f9 7 bytes JMP 00000001743f4e50 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000759bea45 7 bytes JMP 00000001743f4b00 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075a48f4c 7 bytes JMP 00000001743f45c0 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075a48fd1 5 bytes JMP 00000001743f4670 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075a49327 5 bytes JMP 00000001743f45d0 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b21d29 5 bytes JMP 00000001743f4580 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076b21dd7 5 bytes JMP 00000001743f4540 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b22ab1 5 bytes JMP 00000001743f4680 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b22d1d 5 bytes JMP 00000001743f4360 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007686d2b4 5 bytes JMP 00000001743f3b60 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007686d4ee 5 bytes JMP 00000001743f3b80 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076a28a29 5 bytes JMP 00000001743f3a40 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076a34572 5 bytes JMP 00000001743f42e0 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076a4e567 5 bytes JMP 00000001743f4350 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076a707d7 5 bytes JMP 00000001743f3850 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076a87a5c 5 bytes JMP 00000001743f42d0 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076261401 2 bytes JMP 759cb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076261419 2 bytes JMP 759cb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076261431 2 bytes JMP 75a48fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007626144a 2 bytes CALL 759a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762614dd 2 bytes JMP 75a488c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762614f5 2 bytes JMP 75a48aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007626150d 2 bytes JMP 75a487ba C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076261525 2 bytes JMP 75a48b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007626153d 2 bytes JMP 759bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076261555 2 bytes JMP 759c68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007626156d 2 bytes JMP 75a49089 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076261585 2 bytes JMP 75a48bea C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007626159d 2 bytes JMP 75a4877e C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762615b5 2 bytes JMP 759bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762615cd 2 bytes JMP 759cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762616b2 2 bytes JMP 75a48f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\Lenovo\Desktop\hljzutyd.exe[496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762616bd 2 bytes JMP 75a48713 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90489afaf898 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90489afaf898@00eebdcfe20b 0xA6 0x05 0x92 0x56 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90489afaf898 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90489afaf898@00eebdcfe20b 0xA6 0x05 0x92 0x56 ... ---- EOF - GMER 2.1 ----