GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-01 22:04:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545032B9A300 rev.PB3OC60F 298,09GB Running: 6hllc7w2.exe; Driver: C:\Users\Krzak\AppData\Local\Temp\kwddykog.sys ---- User code sections - GMER 2.2 ---- .text ... * 9 .text ... * 9 .text ... * 9 .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768e14dd 2 bytes JMP 769a890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000768e1555 2 bytes JMP 76926907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000768e1419 2 bytes JMP 7692b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768e14f5 2 bytes JMP 769a8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000768e1525 2 bytes JMP 769a8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768e15b5 2 bytes JMP 7691fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000768e153d 2 bytes JMP 7691fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768e15cd 2 bytes JMP 7692b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000768e1401 2 bytes JMP 7692b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000768e1431 2 bytes JMP 769a9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000768e144a 2 bytes CALL 769048ad C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000768e1585 2 bytes JMP 769a8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768e16b2 2 bytes JMP 769a8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768e16bd 2 bytes JMP 769a8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000768e156d 2 bytes JMP 769a90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000768e159d 2 bytes JMP 769a87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[1856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000768e150d 2 bytes JMP 769a8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768e14dd 2 bytes JMP 769a890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000768e1555 2 bytes JMP 76926907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000768e1419 2 bytes JMP 7692b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768e14f5 2 bytes JMP 769a8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000768e1525 2 bytes JMP 769a8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768e15b5 2 bytes JMP 7691fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000768e153d 2 bytes JMP 7691fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768e15cd 2 bytes JMP 7692b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000768e1401 2 bytes JMP 7692b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000768e1431 2 bytes JMP 769a9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000768e144a 2 bytes CALL 769048ad C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000768e1585 2 bytes JMP 769a8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768e16b2 2 bytes JMP 769a8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768e16bd 2 bytes JMP 769a8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000768e156d 2 bytes JMP 769a90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000768e159d 2 bytes JMP 769a87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[5308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000768e150d 2 bytes JMP 769a8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768e14dd 2 bytes JMP 769a890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000768e1555 2 bytes JMP 76926907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000768e1419 2 bytes JMP 7692b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768e14f5 2 bytes JMP 769a8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000768e1525 2 bytes JMP 769a8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768e15b5 2 bytes JMP 7691fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000768e153d 2 bytes JMP 7691fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768e15cd 2 bytes JMP 7692b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000768e1401 2 bytes JMP 7692b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000768e1431 2 bytes JMP 769a9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000768e144a 2 bytes CALL 769048ad C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000768e1585 2 bytes JMP 769a8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768e16b2 2 bytes JMP 769a8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768e16bd 2 bytes JMP 769a8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000768e156d 2 bytes JMP 769a90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000768e159d 2 bytes JMP 769a87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[3308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000768e150d 2 bytes JMP 769a8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 0000000077990388 5 bytes JMP 000000000027020c .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007799083c 5 bytes JMP 00000000002703d0 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799092c 2 bytes JMP 00000000002709fe .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 3 000000007799092f 2 bytes [8E, 88] .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779900a4 5 bytes JMP 0000000000270758 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077990944 5 bytes JMP 000000000027091c .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e94 5 bytes JMP 0000000000270676 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007798ff48 5 bytes JMP 0000000000270594 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779900d8 5 bytes JMP 0000000000270ca4 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007798ffc4 5 bytes JMP 0000000000270f4a .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 0000000077991674 5 bytes JMP 00000000002702ee .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 000000007798ff30 5 bytes JMP 0000000000270e68 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077990108 5 bytes JMP 0000000000270d86 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779919c0 5 bytes JMP 000000000027083a .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991c84 5 bytes JMP 0000000000270ae0 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077991e10 5 bytes JMP 00000000002704b2 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fd50 5 bytes JMP 0000000000270bc2 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990124 5 bytes JMP 0000000000030050 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007798fd20 5 bytes JMP 000000000027012a .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007798feb4 5 bytes JMP 0000000000270048 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1600] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076d01566 7 bytes JMP 000000000028012a .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 0000000077990388 5 bytes JMP 00000000000c020c .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007799083c 5 bytes JMP 00000000000c03d0 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799092c 2 bytes JMP 00000000000c09fe .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 3 000000007799092f 2 bytes [73, 88] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779900a4 5 bytes JMP 00000000000c0758 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077990944 5 bytes JMP 00000000000c091c .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e94 5 bytes JMP 00000000000c0676 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007798ff48 5 bytes JMP 00000000000c0594 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779900d8 5 bytes JMP 00000000000c0ca4 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007798ffc4 5 bytes JMP 00000000000c0f4a .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 0000000077991674 5 bytes JMP 00000000000c02ee .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 000000007798ff30 5 bytes JMP 00000000000c0e68 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077990108 5 bytes JMP 00000000000c0d86 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779919c0 5 bytes JMP 00000000000c083a .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991c84 5 bytes JMP 00000000000c0ae0 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077991e10 5 bytes JMP 00000000000c04b2 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fd50 5 bytes JMP 00000000000c0bc2 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990124 5 bytes JMP 0000000000030050 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007798fd20 5 bytes JMP 00000000000c012a .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1136] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007798feb4 5 bytes JMP 00000000000c0048 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 0000000077990388 5 bytes JMP 00000000003a020c .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007799083c 5 bytes JMP 00000000003a03d0 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007799092c 2 bytes JMP 00000000003a09fe .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 3 000000007799092f 2 bytes [A1, 88] .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000779900a4 5 bytes JMP 00000000003a0758 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077990944 5 bytes JMP 00000000003a091c .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077990e94 5 bytes JMP 00000000003a0676 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007798ff48 5 bytes JMP 00000000003a0594 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779900d8 5 bytes JMP 00000000003a0ca4 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007798ffc4 5 bytes JMP 00000000003a0f4a .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 0000000077991674 5 bytes JMP 00000000003a02ee .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 000000007798ff30 5 bytes JMP 00000000003a0e68 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077990108 5 bytes JMP 00000000003a0d86 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000779919c0 5 bytes JMP 00000000003a083a .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077991c84 5 bytes JMP 00000000003a0ae0 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077991e10 5 bytes JMP 00000000003a04b2 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007798fd50 5 bytes JMP 00000000003a0bc2 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077990124 5 bytes JMP 0000000000020050 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007798fd20 5 bytes JMP 00000000003a012a .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007798feb4 5 bytes JMP 00000000003a0048 .text C:\Users\Krzak\Downloads\6hllc7w2.exe[5228] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076d01566 7 bytes JMP 00000000003b0048 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\Explorer.EXE[USER32.dll!DeferWindowPos] [7fefa361da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\Explorer.EXE[USER32.dll!EndPaint] [7fefa361f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\Explorer.EXE[USER32.dll!MoveWindow] [7fefa361a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\CLBCatQ.DLL[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\DUI70.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\DUser.dll[USER32.dll!EndPaint] [7fefa361f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!EndPaint] [7fefa361f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!MoveWindow] [7fefa361a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\IMM32.dll[USER32.dll!EndPaint] [7fefa361f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\IMM32.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\MSCTF.dll[USER32.dll!EndPaint] [7fefa361f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\MSCTF.dll[USER32.dll!MoveWindow] [7fefa361a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\ole32.dll[USER32.dll!MoveWindow] [7fefa361a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MoveWindow] [7fefa361a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7fefa361da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!EndPaint] [7fefa361f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!MoveWindow] [7fefa361a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!DeferWindowPos] [7fefa361da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!EndPaint] [7fefa361f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!MoveWindow] [7fefa361a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1724] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll[USER32.dll!SetWindowPos] [7fefa361bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- EOF - GMER 2.2 ----