GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-19 12:17:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: mxtpw3hx.exe; Driver: C:\Users\Lucyna\AppData\Local\Temp\kwrdapod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075338781 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1808] C:\windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\AppData\Roaming\TSv\TSvr.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2272] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\ProgramData\eWdMe\WdMan.exe[2312] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll ? C:\windows\system32\mssprxy.dll [2392] entry point in ".rdata" section 00000000717e71e6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[5012] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4172] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 7535b21b C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 7535b346 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 753d8fd1 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 7533489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 753d88c4 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 753d8aa0 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 753d87ba C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 753d8b8a C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 7534fca8 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 753568ef C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 753d9089 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 753d8bea C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 753d877e C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 7534fd41 C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 7535b2dc C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 753d8f4c C:\windows\syswow64\kernel32.dll .text C:\Users\Lucyna\Downloads\mxtpw3hx.exe[1780] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 753d8713 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\windows\SysWOW64\ntdll.dll [3652:3632] 00000000004155a8 Thread C:\Windows\WindowsMobile\wmdc.exe [4092:4236] 0000000074803804 Thread C:\Windows\WindowsMobile\wmdc.exe [4092:4240] 0000000074823368 Thread C:\windows\system32\svchost.exe [3688:4244] 000000007472b5fc Thread C:\windows\system32\svchost.exe [3688:4248] 00000000747b8b1c Thread C:\windows\system32\svchost.exe [3688:4252] 0000000074711760 Thread C:\windows\system32\svchost.exe [3688:4256] 00000000747bc740 Thread C:\windows\system32\svchost.exe [3688:4260] 00000000747c498c Thread C:\windows\system32\svchost.exe [3688:4276] 00000000746e2234 Thread C:\windows\system32\svchost.exe [3688:4280] 0000000074750398 Thread C:\windows\system32\svchost.exe [3688:4288] 00000000746e3de4 Thread C:\windows\system32\svchost.exe [3688:4292] 0000000074726394 Thread C:\windows\System32\svchost.exe [4608:4424] 000007fef58f9688 Thread [3232:2100] 00000000710b7850 Thread [3232:2156] 000000007768c557 Thread [3232:4868] 00000000776a27c1 Thread [4020:1348] 000000007768c557 Thread [4020:4136] 00000000776a27c1 Thread [4020:2132] 00000000710b7850 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\DCService.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCService.exe [1704](2010-08-19 08:52:04) 0000000000400000 Process C:\ProgramData\eWdMe\WdMan.exe (*** suspicious ***) @ C:\ProgramData\eWdMe\WdMan.exe [2312] (TFuns/TFuns LIMITED)(2015-12-09 09:47:45) 0000000000910000 Process C:\Users\Lucyna\AppData\Roaming\blueconnect\ouc.exe (*** suspicious ***) @ C:\Users\Lucyna\AppData\Roaming\blueconnect\ouc.exe [4352] (Online Update Clinet/Huawei Technologies Co., Ltd.)(2014-08-27 19:11:23) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde691eaa Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de56362b Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde691eaa (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de56362b (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Windows\Temp\TMP00000014F6B6229483AC942D 524288 bytes ---- EOF - GMER 2.1 ----