GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-12 22:57:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: gmer.exe; Driver: C:\Users\JOLA-M~1\AppData\Local\Temp\pgldraob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f5900 7 bytes [80, 48, F3, FF, 01, 55, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f5908 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[788] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076ca9010 4 bytes [C3, 00, 00, 00] .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef6e2dc88 5 bytes JMP 000007fef6c200d8 .text C:\Windows\system32\Dwm.exe[1748] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef6e2de10 5 bytes JMP 000007fef6c20110 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000750c1f0e 7 bytes JMP 00000000727e1695 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000750c5bad 7 bytes JMP 00000000727e11a9 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000750d1431 7 bytes JMP 00000000727e128a .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000750dea85 7 bytes JMP 00000000727e1244 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000750eb263 5 bytes JMP 00000000727e15aa .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 000000007516906c 7 bytes JMP 00000000727e1339 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000751690f1 5 bytes JMP 00000000727e16d6 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075169447 5 bytes JMP 00000000727e170d .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075338a39 5 bytes JMP 00000000727e1726 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075344582 5 bytes JMP 00000000727e10a0 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007535e587 5 bytes JMP 00000000727e1415 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075397b24 5 bytes JMP 00000000727e15d2 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f55e75 5 bytes JMP 00000000727e15fa .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f89cbb 5 bytes JMP 00000000727e121c .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074a41401 2 bytes JMP 750eb263 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074a41419 2 bytes JMP 750eb38e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074a41431 2 bytes JMP 751690f1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074a4144a 2 bytes CALL 750c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074a414dd 2 bytes JMP 751689ea C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074a414f5 2 bytes JMP 75168bc0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074a4150d 2 bytes JMP 751688e0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074a41525 2 bytes JMP 75168caa C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074a4153d 2 bytes JMP 750dfce8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074a41555 2 bytes JMP 750e6937 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074a4156d 2 bytes JMP 751691a9 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074a41585 2 bytes JMP 75168d0a C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074a4159d 2 bytes JMP 751688a4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074a415b5 2 bytes JMP 750dfd81 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074a415cd 2 bytes JMP 750eb324 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074a416b2 2 bytes JMP 7516906c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074a416bd 2 bytes JMP 75168839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000750c1f0e 7 bytes JMP 00000000727e1695 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000750c5bad 7 bytes JMP 00000000727e11a9 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000750d1431 7 bytes JMP 00000000727e128a .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000750dea85 7 bytes JMP 00000000727e1244 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000750eb263 5 bytes JMP 00000000727e15aa .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 000000007516906c 7 bytes JMP 00000000727e1339 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000751690f1 5 bytes JMP 00000000727e16d6 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075169447 5 bytes JMP 00000000727e170d .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074e51e4c 5 bytes JMP 00000000727e11c2 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074e51efa 5 bytes JMP 00000000727e1014 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074e52bdc 5 bytes JMP 00000000727e1555 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074e52e7e 5 bytes JMP 00000000727e1271 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075338a39 5 bytes JMP 00000000727e1726 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075344582 5 bytes JMP 00000000727e10a0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007535e587 5 bytes JMP 00000000727e1415 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075397b24 5 bytes JMP 00000000727e15d2 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075aae74f 1 byte JMP 00000000727e15c3 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList + 2 0000000075aae751 3 bytes {JMP 0xfffffffffcd32e74} .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075aae989 5 bytes JMP 00000000727e1186 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f55e75 5 bytes JMP 00000000727e15fa .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f89cbb 5 bytes JMP 00000000727e121c .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074a41401 2 bytes JMP 750eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074a41419 2 bytes JMP 750eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074a41431 2 bytes JMP 751690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074a4144a 2 bytes CALL 750c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074a414dd 2 bytes JMP 751689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074a414f5 2 bytes JMP 75168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074a4150d 2 bytes JMP 751688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074a41525 2 bytes JMP 75168caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074a4153d 2 bytes JMP 750dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074a41555 2 bytes JMP 750e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074a4156d 2 bytes JMP 751691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074a41585 2 bytes JMP 75168d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074a4159d 2 bytes JMP 751688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074a415b5 2 bytes JMP 750dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074a415cd 2 bytes JMP 750eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074a416b2 2 bytes JMP 7516906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074a416bd 2 bytes JMP 75168839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076c9a3e0 7 bytes JMP 000000006fff0260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076ca3ef0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076cbfff0 5 bytes JMP 000000006fff01f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076ccf3e0 5 bytes JMP 000000006fff0148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076cf9c70 7 bytes JMP 000000006fff00d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d09700 5 bytes JMP 000000006fff0180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d09870 5 bytes JMP 000000006fff0110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d28aa0 7 bytes JMP 000000006fff0228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda98830 8 bytes JMP 000007fefce601f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda9b9e0 8 bytes JMP 000007fefce601b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefddf6d10 11 bytes JMP 000007fefce60228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2100] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefde0b4f0 7 bytes JMP 000007fefce60260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076c9a3e0 7 bytes JMP 000000006fff0260 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076ca3ef0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076cbfff0 5 bytes JMP 000000006fff01f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076ccf3e0 5 bytes JMP 000000006fff0148 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076cf9c70 7 bytes JMP 000000006fff00d8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d09700 5 bytes JMP 000000006fff0180 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d09870 5 bytes JMP 000000006fff0110 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3060] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d28aa0 7 bytes JMP 000000006fff0228 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000750c1f0e 7 bytes JMP 00000000727e1695 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000750c5bad 7 bytes JMP 00000000727e11a9 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000750d1431 7 bytes JMP 00000000727e128a .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000750dea85 7 bytes JMP 00000000727e1244 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000750eb263 5 bytes JMP 00000000727e15aa .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 000000007516906c 7 bytes JMP 00000000727e1339 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000751690f1 5 bytes JMP 00000000727e16d6 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075169447 5 bytes JMP 00000000727e170d .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074a41401 2 bytes JMP 750eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074a41419 2 bytes JMP 750eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074a41431 2 bytes JMP 751690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074a4144a 2 bytes CALL 750c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074a414dd 2 bytes JMP 751689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074a414f5 2 bytes JMP 75168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074a4150d 2 bytes JMP 751688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074a41525 2 bytes JMP 75168caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074a4153d 2 bytes JMP 750dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074a41555 2 bytes JMP 750e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074a4156d 2 bytes JMP 751691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074a41585 2 bytes JMP 75168d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074a4159d 2 bytes JMP 751688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074a415b5 2 bytes JMP 750dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074a415cd 2 bytes JMP 750eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074a416b2 2 bytes JMP 7516906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074a416bd 2 bytes JMP 75168839 C:\Windows\syswow64\kernel32.dll .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076c9a3e0 7 bytes JMP 000000006fff0260 .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076ca3ef0 5 bytes JMP 000000006fff01b8 .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076cbfff0 5 bytes JMP 000000006fff01f0 .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076ccf3e0 5 bytes JMP 000000006fff0148 .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076cf9c70 7 bytes JMP 000000006fff00d8 .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d09700 5 bytes JMP 000000006fff0180 .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d09870 5 bytes JMP 000000006fff0110 .text E:\FRST64.exe[3228] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d28aa0 7 bytes JMP 000000006fff0228 .text E:\FRST64.exe[3228] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce732f0 7 bytes JMP 000007fefce600d8 .text E:\FRST64.exe[3228] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce7aa60 5 bytes JMP 000007fefce60180 .text E:\FRST64.exe[3228] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce7ac00 5 bytes JMP 000007fefce60110 .text E:\FRST64.exe[3228] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce89ac0 5 bytes JMP 000007fefce60148 .text E:\FRST64.exe[3228] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda98830 8 bytes JMP 000007fefce601f0 .text E:\FRST64.exe[3228] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda9b9e0 8 bytes JMP 000007fefce601b8 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000750c1f0e 7 bytes JMP 00000000727e1695 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000750c5bad 7 bytes JMP 00000000727e11a9 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000750d1431 7 bytes JMP 00000000727e128a .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000750dea85 7 bytes JMP 00000000727e1244 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000750eb263 5 bytes JMP 00000000727e15aa .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 000000007516906c 7 bytes JMP 00000000727e1339 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000751690f1 5 bytes JMP 00000000727e16d6 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075169447 5 bytes JMP 00000000727e170d .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074e51e4c 5 bytes JMP 00000000727e11c2 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074e51efa 5 bytes JMP 00000000727e1014 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074e52bdc 5 bytes JMP 00000000727e1555 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074e52e7e 5 bytes JMP 00000000727e1271 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075aae74f 1 byte JMP 00000000727e15c3 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList + 2 0000000075aae751 3 bytes {JMP 0xfffffffffcd32e74} .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075aae989 5 bytes JMP 00000000727e1186 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075338a39 5 bytes JMP 00000000727e1726 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075344582 5 bytes JMP 00000000727e10a0 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007535e587 5 bytes JMP 00000000727e1415 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075397b24 5 bytes JMP 00000000727e15d2 .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074f55e75 5 bytes JMP 00000000727e15fa .text E:\gmer\gmer.exe[4944] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074f89cbb 5 bytes JMP 00000000727e121c ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4cedde6b8bcf (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@0cdfa4714aae 0x38 0x2D 0xD2 0xA3 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@08ee8b89a42c 0xDA 0x6F 0x9E 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6b8bcf Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@0cdfa4714aae 0x38 0x2D 0xD2 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@08ee8b89a42c 0xDA 0x6F 0x9E 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@183bd2ab2ce2 0xA5 0x0D 0xD5 0x78 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4cedde6b8bcf (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@0cdfa4714aae 0x38 0x2D 0xD2 0xA3 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@08ee8b89a42c 0xDA 0x6F 0x9E 0x27 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4cedde6b8bcf@183bd2ab2ce2 0xA5 0x0D 0xD5 0x78 ... ---- EOF - GMER 2.2 ----