GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-11 15:03:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JEDO 596,17GB Running: q927z99i.exe; Driver: C:\Users\O\AppData\Local\Temp\fxloyuog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd8d2db0 5 bytes JMP 000007fffd8c0180 .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd8d37d0 7 bytes JMP 000007fffd8c00d8 .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd8da410 2 bytes JMP 000007fffd8c0110 .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3 000007fefd8da413 2 bytes [FE, FF] .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd8daec0 6 bytes JMP 000007fffd8c0148 .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feffc789d0 8 bytes JMP 000007fffd8c01f0 .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feffc7be40 8 bytes JMP 000007fffd8c01b8 .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef95adc88 5 bytes JMP 000007fff92f00d8 .text C:\Windows\system32\Dwm.exe[1940] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef95ade10 5 bytes JMP 000007fff92f0110 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076801401 2 bytes JMP 7625b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076801419 2 bytes JMP 7625b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076801431 2 bytes JMP 762d8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007680144a 2 bytes CALL 7623489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000768014dd 2 bytes JMP 762d88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000768014f5 2 bytes JMP 762d8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007680150d 2 bytes JMP 762d87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076801525 2 bytes JMP 762d8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007680153d 2 bytes JMP 7624fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076801555 2 bytes JMP 762568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007680156d 2 bytes JMP 762d9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076801585 2 bytes JMP 762d8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007680159d 2 bytes JMP 762d877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000768015b5 2 bytes JMP 7624fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000768015cd 2 bytes JMP 7625b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000768016b2 2 bytes JMP 762d8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2836] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000768016bd 2 bytes JMP 762d8713 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076801401 2 bytes JMP 7625b21b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076801419 2 bytes JMP 7625b346 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076801431 2 bytes JMP 762d8fd1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007680144a 2 bytes CALL 7623489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768014dd 2 bytes JMP 762d88c4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768014f5 2 bytes JMP 762d8aa0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007680150d 2 bytes JMP 762d87ba C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076801525 2 bytes JMP 762d8b8a C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007680153d 2 bytes JMP 7624fca8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076801555 2 bytes JMP 762568ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007680156d 2 bytes JMP 762d9089 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076801585 2 bytes JMP 762d8bea C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007680159d 2 bytes JMP 762d877e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768015b5 2 bytes JMP 7624fd41 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768015cd 2 bytes JMP 7625b2dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768016b2 2 bytes JMP 762d8f4c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\SWdMS\WdMan.exe[2040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768016bd 2 bytes JMP 762d8713 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000076801401 2 bytes JMP 7625b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000076801419 2 bytes JMP 7625b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000076801431 2 bytes JMP 762d8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 000000007680144a 2 bytes CALL 7623489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000768014dd 2 bytes JMP 762d88c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000768014f5 2 bytes JMP 762d8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 000000007680150d 2 bytes JMP 762d87ba C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076801525 2 bytes JMP 762d8b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 000000007680153d 2 bytes JMP 7624fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000076801555 2 bytes JMP 762568ef C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 000000007680156d 2 bytes JMP 762d9089 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000076801585 2 bytes JMP 762d8bea C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 000000007680159d 2 bytes JMP 762d877e C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000768015b5 2 bytes JMP 7624fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000768015cd 2 bytes JMP 7625b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000768016b2 2 bytes JMP 762d8f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\O\AppData\Roaming\Dropbox\bin\Dropbox.exe[4564] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000768016bd 2 bytes JMP 762d8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4632] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076238781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076801401 2 bytes JMP 7625b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076801419 2 bytes JMP 7625b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076801431 2 bytes JMP 762d8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007680144a 2 bytes CALL 7623489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768014dd 2 bytes JMP 762d88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768014f5 2 bytes JMP 762d8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007680150d 2 bytes JMP 762d87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076801525 2 bytes JMP 762d8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007680153d 2 bytes JMP 7624fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076801555 2 bytes JMP 762568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007680156d 2 bytes JMP 762d9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076801585 2 bytes JMP 762d8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007680159d 2 bytes JMP 762d877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768015b5 2 bytes JMP 7624fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768015cd 2 bytes JMP 7625b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768016b2 2 bytes JMP 762d8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768016bd 2 bytes JMP 762d8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076238781 5 bytes JMP 000000015a7c7562 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075de6143 5 bytes JMP 000000015b4ccd0a .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075853e59 5 bytes JMP 000000015a7ec273 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075853eae 5 bytes JMP 000000015a7f57f8 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075854731 5 bytes JMP 000000015a7f5390 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075855dee 5 bytes JMP 000000015a8015ae ? C:\Windows\system32\mssprxy.dll [3956] entry point in ".rdata" section 00000000730a71e6 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076801401 2 bytes JMP 7625b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076801419 2 bytes JMP 7625b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076801431 2 bytes JMP 762d8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007680144a 2 bytes CALL 7623489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768014dd 2 bytes JMP 762d88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768014f5 2 bytes JMP 762d8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007680150d 2 bytes JMP 762d87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076801525 2 bytes JMP 762d8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007680153d 2 bytes JMP 7624fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076801555 2 bytes JMP 762568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007680156d 2 bytes JMP 762d9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076801585 2 bytes JMP 762d8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007680159d 2 bytes JMP 762d877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768015b5 2 bytes JMP 7624fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768015cd 2 bytes JMP 7625b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768016b2 2 bytes JMP 762d8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768016bd 2 bytes JMP 762d8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!RegCreateKeyExW + 1 000000004997b00b 4 bytes {JMP 0x2c7c9057} .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!RegEnumKeyW + 1 000000004997b024 4 bytes {JMP 0x2c7c93a0} .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!RegOpenKeyExW + 1 000000004997b033 4 bytes {JMP 0x2c7c95c3} .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!RegQueryValueExW + 1 000000004997b042 4 bytes {JMP 0x2c7c95d4} .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!CreateSemaphoreW + 1 000000004997b150 4 bytes {JMP 0x2c8d18e3} .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!GetModuleFileNameW + 1 000000004997b1be 4 bytes {JMP 0x2c8b974b} .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!GetModuleHandleW + 1 000000004997b1c3 4 bytes {JMP 0x2c8b829e} .text C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE[3956] C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll!RegisterClipboardFormatW + 1 000000004997b420 4 bytes {JMP 0x2bdeeaae} ---- Processes - GMER 2.1 ---- Process C:\ProgramData\SWdMS\WdMan.exe (*** suspicious ***) @ C:\ProgramData\SWdMS\WdMan.exe [2040] (TFuns/TFuns LIMITED)(2015-12-10 06:53:52) 00000000011d0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68fac04c Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68fac04c (not active ControlSet) ---- EOF - GMER 2.1 ----