GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-28 16:40:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD10EURX-73C57Y0 rev.01.01A01 931,51GB Running: j4p2zj4v.exe; Driver: C:\Users\ENTARO\AppData\Local\Temp\kwliypod.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88007257d8c 12 bytes {MOV RAX, 0xfffffa8008a2f2a0; JMP RAX} ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[500] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076642ab1 5 bytes JMP 0000000000888c60 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769d1401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769d1419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769d1431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769d144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769d14dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769d14f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769d150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769d1525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769d153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769d1555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769d156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769d1585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769d159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769d15b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769d15cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769d16b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769d16bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000744811a8 2 bytes [48, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007448127d 2 bytes CALL 766914b9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 0000000074481310 2 bytes CALL 766914b9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000744813a8 2 bytes [48, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074481422 2 bytes [48, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2416] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074481498 2 bytes [48, 74] .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769d1401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769d1419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769d1431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769d144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769d14dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769d14f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769d150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769d1525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769d153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769d1555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769d156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769d1585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769d159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769d15b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769d15cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769d16b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Battle.net\Agent\Agent.4949\Agent.exe[5260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769d16bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769d1401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769d1419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769d1431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769d144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769d14dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769d14f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769d150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769d1525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769d153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769d1555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769d156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769d1585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769d159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769d15b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769d15cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769d16b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769d16bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769d1401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769d1419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769d1431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769d144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769d14dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769d14f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769d150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769d1525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769d153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769d1555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769d156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769d1585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769d159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769d15b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769d15cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769d16b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769d16bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769d1401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769d1419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769d1431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769d144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769d14dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769d14f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769d150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769d1525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769d153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769d1555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769d156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769d1585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769d159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769d15b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769d15cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769d16b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Battle.net\Battle.net.7348\Battle.net Helper.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769d16bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88000eb5f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88000eb5cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88000eb669c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88000eb6a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88000eb68f4] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa8006b1a840] [unknown section] IAT C:\Windows\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa8008a2f840] [unknown section] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa8006b352c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8006b352c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 fffffa8006b352c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa8006b352c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8006b352c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8006b352c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 fffffa8006b352c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa8006b352c0 Device \FileSystem\Ntfs \Ntfs fffffa8006b3b2c0 Device \Driver\USBSTOR \Device\0000007e fffffa800873e2c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa8008ac72c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8008a312c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8008a312c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007d5d2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8007d5d2c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa8008a312c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8008a312c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8008ac72c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8008a312c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa800863b2c0 Device \Driver\USBSTOR \Device\00000081 fffffa800873e2c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa8008ac72c0 Device \Driver\dtsoftbus01 \Device\00000062 fffffa800863b2c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8008a312c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8008a312c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{8E17855C-1897-4D0A-B680-EC7B4380D9AB} fffffa8007dea2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007dea2c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa8008a312c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8008a312c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8006b352c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8008ac72c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8008a312c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8006b352c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8006b352c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8006b352c0 Device \Driver\atapi \Device\ScsiPort4 fffffa8006b352c0 Device \Driver\atapi \Device\ScsiPort5 fffffa8006b352c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8006b352c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8006b352c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007d44060] fffffa8007d44060 Trace 3 CLASSPNP.SYS[fffff8800196b43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa8007a48680] fffffa8007a48680 Trace \Driver\atapi[0xfffffa8006c82e70] -> IRP_MJ_CREATE -> 0xfffffa8006b352c0 fffffa8006b352c0 ---- EOF - GMER 2.2 ----