GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-17 11:02:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006d Samsung_ rev.EXT0 111,79GB Running: u0yl16u5.exe; Driver: E:\TEMP\fxtiypoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762f1401 2 bytes JMP 776fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762f1419 2 bytes JMP 776fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762f1431 2 bytes JMP 77778f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762f144a 2 bytes CALL 776d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762f14dd 2 bytes JMP 77778822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762f14f5 2 bytes JMP 777789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762f150d 2 bytes JMP 77778718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762f1525 2 bytes JMP 77778ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762f153d 2 bytes JMP 776efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762f1555 2 bytes JMP 776f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762f156d 2 bytes JMP 77778fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762f1585 2 bytes JMP 77778b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762f159d 2 bytes JMP 777786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762f15b5 2 bytes JMP 776efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762f15cd 2 bytes JMP 776fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762f16b2 2 bytes JMP 77778ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762f16bd 2 bytes JMP 77778671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000776d8781 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000762f1401 2 bytes JMP 776fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000762f1419 2 bytes JMP 776fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000762f1431 2 bytes JMP 77778f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000762f144a 2 bytes CALL 776d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000762f14dd 2 bytes JMP 77778822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000762f14f5 2 bytes JMP 777789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000762f150d 2 bytes JMP 77778718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000762f1525 2 bytes JMP 77778ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000762f153d 2 bytes JMP 776efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000762f1555 2 bytes JMP 776f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000762f156d 2 bytes JMP 77778fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000762f1585 2 bytes JMP 77778b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000762f159d 2 bytes JMP 777786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000762f15b5 2 bytes JMP 776efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000762f15cd 2 bytes JMP 776fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000762f16b2 2 bytes JMP 77778ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1924] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000762f16bd 2 bytes JMP 77778671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1304] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000071af17fa 2 bytes CALL 776d11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1304] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000071af1860 2 bytes CALL 776d11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1304] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000071af1942 2 bytes JMP 77447089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1304] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000071af194d 2 bytes JMP 7744cba6 C:\Windows\syswow64\WS2_32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762f1401 2 bytes JMP 776fb21b C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762f1419 2 bytes JMP 776fb346 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762f1431 2 bytes JMP 77778f29 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762f144a 2 bytes CALL 776d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762f14dd 2 bytes JMP 77778822 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762f14f5 2 bytes JMP 777789f8 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762f150d 2 bytes JMP 77778718 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762f1525 2 bytes JMP 77778ae2 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762f153d 2 bytes JMP 776efca8 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762f1555 2 bytes JMP 776f68ef C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762f156d 2 bytes JMP 77778fe3 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762f1585 2 bytes JMP 77778b42 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762f159d 2 bytes JMP 777786dc C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762f15b5 2 bytes JMP 776efd41 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762f15cd 2 bytes JMP 776fb2dc C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762f16b2 2 bytes JMP 77778ea4 C:\Windows\syswow64\kernel32.dll .text E:\Programy\Skype\Updater\Updater.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762f16bd 2 bytes JMP 77778671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000762a2ab1 5 bytes JMP 0000000070c68d9e .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000762a2d1d 5 bytes JMP 0000000070c68e08 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762f1401 2 bytes JMP 776fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762f1419 2 bytes JMP 776fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762f1431 2 bytes JMP 77778f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762f144a 2 bytes CALL 776d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762f14dd 2 bytes JMP 77778822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762f14f5 2 bytes JMP 777789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762f150d 2 bytes JMP 77778718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762f1525 2 bytes JMP 77778ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762f153d 2 bytes JMP 776efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762f1555 2 bytes JMP 776f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762f156d 2 bytes JMP 77778fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762f1585 2 bytes JMP 77778b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762f159d 2 bytes JMP 777786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762f15b5 2 bytes JMP 776efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762f15cd 2 bytes JMP 776fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762f16b2 2 bytes JMP 77778ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762f16bd 2 bytes JMP 77778671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762f1401 2 bytes JMP 776fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762f1419 2 bytes JMP 776fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762f1431 2 bytes JMP 77778f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762f144a 2 bytes CALL 776d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762f14dd 2 bytes JMP 77778822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762f14f5 2 bytes JMP 777789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762f150d 2 bytes JMP 77778718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762f1525 2 bytes JMP 77778ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762f153d 2 bytes JMP 776efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762f1555 2 bytes JMP 776f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762f156d 2 bytes JMP 77778fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762f1585 2 bytes JMP 77778b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762f159d 2 bytes JMP 777786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762f15b5 2 bytes JMP 776efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762f15cd 2 bytes JMP 776fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762f16b2 2 bytes JMP 77778ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762f16bd 2 bytes JMP 77778671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762f1401 2 bytes JMP 776fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762f1419 2 bytes JMP 776fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762f1431 2 bytes JMP 77778f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762f144a 2 bytes CALL 776d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762f14dd 2 bytes JMP 77778822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762f14f5 2 bytes JMP 777789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762f150d 2 bytes JMP 77778718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762f1525 2 bytes JMP 77778ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762f153d 2 bytes JMP 776efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762f1555 2 bytes JMP 776f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762f156d 2 bytes JMP 77778fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762f1585 2 bytes JMP 77778b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762f159d 2 bytes JMP 777786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762f15b5 2 bytes JMP 776efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762f15cd 2 bytes JMP 776fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762f16b2 2 bytes JMP 77778ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762f16bd 2 bytes JMP 77778671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762f1401 2 bytes JMP 776fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762f1419 2 bytes JMP 776fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762f1431 2 bytes JMP 77778f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762f144a 2 bytes CALL 776d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762f14dd 2 bytes JMP 77778822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762f14f5 2 bytes JMP 777789f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762f150d 2 bytes JMP 77778718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762f1525 2 bytes JMP 77778ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762f153d 2 bytes JMP 776efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762f1555 2 bytes JMP 776f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762f156d 2 bytes JMP 77778fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762f1585 2 bytes JMP 77778b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762f159d 2 bytes JMP 777786dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762f15b5 2 bytes JMP 776efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762f15cd 2 bytes JMP 776fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762f16b2 2 bytes JMP 77778ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung Magician\Samsung Magician.exe[4752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762f16bd 2 bytes JMP 77778671 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef7ed741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef7ed5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef7ed5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef7ed5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef7ed7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef7ed6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef7ed6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef7ed7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef7ed7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef7ed78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef7ed4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef7ed5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef7ed7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015830cbfeb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015830cbfeb@00247c3d03fa 0x42 0xFC 0xAC 0x46 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015830cbfeb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015830cbfeb@00247c3d03fa 0x42 0xFC 0xAC 0x46 ... ---- EOF - GMER 2.2 ----