GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-12 19:47:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 Hitachi_ rev.JP4O 931,51GB Running: 6i0oqip1.exe; Driver: C:\Users\admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2368] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c88769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077d5f9f0 5 bytes JMP 00000000666fea93 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 0000000077d5fa38 5 bytes JMP 00000000666ff0f8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 0000000077d5fa50 5 bytes JMP 00000000666fd830 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 0000000077d5faa0 5 bytes JMP 00000000666fd38c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077d5fab8 5 bytes JMP 00000000666fd67d .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 0000000077d5fb50 5 bytes JMP 00000000666ff338 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 0000000077d5fc48 5 bytes JMP 000000006670a713 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 0000000077d5fd5c 5 bytes JMP 00000000666fd1d4 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077d5fd74 5 bytes JMP 0000000066709d35 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 0000000077d5fda8 5 bytes JMP 000000006670a030 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 0000000077d5fe54 5 bytes JMP 00000000666fe668 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 0000000077d5fe6c 5 bytes JMP 0000000066709e5e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077d600c4 5 bytes JMP 0000000066709b7a .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 0000000077d601d4 5 bytes JMP 00000000666fd9d8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077d60764 5 bytes JMP 00000000666ff3da .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 0000000077d609f4 5 bytes JMP 0000000066709d72 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 0000000077d60a0c 5 bytes JMP 00000000666fcfa8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077d60a54 5 bytes JMP 00000000666fdb8e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077d60b90 5 bytes JMP 00000000666fd0be .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077d60f80 5 bytes JMP 00000000666fe01b .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077d60f98 5 bytes JMP 00000000666fe1b7 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077d61028 5 bytes JMP 00000000666ff185 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077d61040 5 bytes JMP 00000000666ff2a8 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077d61058 5 bytes JMP 00000000666ff215 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 0000000077d6134c 5 bytes JMP 0000000066709f47 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 0000000077d6148c 5 bytes JMP 00000000666fde8e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077d61538 5 bytes JMP 00000000666fe37b .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077d61728 5 bytes JMP 00000000666fdd06 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077d61a68 5 bytes JMP 00000000666fd535 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077d61bac 5 bytes JMP 00000000666fe4fd .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076c8103d 5 bytes JMP 00000000666e3904 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076c81072 5 bytes JMP 00000000666e3d68 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c88769 5 bytes JMP 000000005fbbaaf9 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076cac9f5 5 bytes JMP 00000000666e3a1e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076d03231 5 bytes JMP 00000000666e3c62 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076b527ea 5 bytes JMP 00000000666e3f75 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 00000000756a9ebd 5 bytes JMP 000000005fbd8388 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 00000000756b0b12 5 bytes JMP 000000005fbdc27c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\USER32.dll!BeginPaint 00000000756b1379 5 bytes JMP 000000005fbeb669 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\USER32.dll!ValidateRect 00000000756b843b 5 bytes JMP 000000005fde95f6 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 0000000075957e4b 5 bytes JMP 000000005fcd15b0 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076df6113 5 bytes JMP 000000006036cfc3 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000076dfe9d9 7 bytes JMP 000000006671e370 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!OleRun 0000000076e007ae 5 bytes JMP 000000006671de9e .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076e021b1 5 bytes JMP 0000000066721745 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000076e0eb81 6 bytes JMP 000000006671de15 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000076e0efb7 5 bytes JMP 000000006671ddcd .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076e2546d 5 bytes JMP 000000006671fdbb .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000076e30965 5 bytes JMP 000000006671dd6d .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000076e38683 5 bytes JMP 00000000667207cf .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076e39cbb 5 bytes JMP 00000000667214ec .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076e39cfe 5 bytes JMP 000000006671f3c7 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000076e5ba99 7 bytes JMP 000000006671dee6 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076e7ea67 5 bytes JMP 000000006671fa7c .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000076eb34d4 5 bytes JMP 00000000667208cf .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000076efd055 5 bytes JMP 000000006671de56 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\oleaut32.dll!VariantClear 0000000077273f18 5 bytes JMP 000000005fc2bc2d .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\oleaut32.dll!SysFreeString 0000000077274513 5 bytes JMP 000000005fc0ec93 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\oleaut32.dll!SysAllocStringByteLen 00000000772747c1 5 bytes JMP 000000005fcae7c6 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\oleaut32.dll!VariantChangeType 0000000077275d6d 5 bytes JMP 000000005fcbdaf5 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject 00000000772a25c2 5 bytes JMP 00000000667203db .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject 00000000772a30b8 5 bytes JMP 000000006671dd25 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\oleaut32.dll!GetActiveObject 00000000772b9260 5 bytes JMP 000000006672056f .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077381401 2 bytes JMP 76cab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077381419 2 bytes JMP 76cab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077381431 2 bytes JMP 76d29149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007738144a 2 bytes CALL 76c84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773814dd 2 bytes JMP 76d28a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773814f5 2 bytes JMP 76d28c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007738150d 2 bytes JMP 76d28938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077381525 2 bytes JMP 76d28d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007738153d 2 bytes JMP 76c9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077381555 2 bytes JMP 76ca6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007738156d 2 bytes JMP 76d29201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077381585 2 bytes JMP 76d28d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007738159d 2 bytes JMP 76d288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773815b5 2 bytes JMP 76c9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773815cd 2 bytes JMP 76cab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773816b2 2 bytes JMP 76d290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE[4312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773816bd 2 bytes JMP 76d28891 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [4312] entry point in ".rdata" section 00000000726971e6 .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077381401 2 bytes JMP 76cab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077381419 2 bytes JMP 76cab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077381431 2 bytes JMP 76d29149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007738144a 2 bytes CALL 76c84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773814dd 2 bytes JMP 76d28a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773814f5 2 bytes JMP 76d28c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007738150d 2 bytes JMP 76d28938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077381525 2 bytes JMP 76d28d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007738153d 2 bytes JMP 76c9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077381555 2 bytes JMP 76ca6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007738156d 2 bytes JMP 76d29201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077381585 2 bytes JMP 76d28d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007738159d 2 bytes JMP 76d288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773815b5 2 bytes JMP 76c9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773815cd 2 bytes JMP 76cab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773816b2 2 bytes JMP 76d290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773816bd 2 bytes JMP 76d28891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077381401 2 bytes JMP 76cab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077381419 2 bytes JMP 76cab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077381431 2 bytes JMP 76d29149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007738144a 2 bytes CALL 76c84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773814dd 2 bytes JMP 76d28a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773814f5 2 bytes JMP 76d28c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007738150d 2 bytes JMP 76d28938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077381525 2 bytes JMP 76d28d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007738153d 2 bytes JMP 76c9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077381555 2 bytes JMP 76ca6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007738156d 2 bytes JMP 76d29201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077381585 2 bytes JMP 76d28d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007738159d 2 bytes JMP 76d288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773815b5 2 bytes JMP 76c9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773815cd 2 bytes JMP 76cab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773816b2 2 bytes JMP 76d290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773816bd 2 bytes JMP 76d28891 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3752:3956] 000007fefbc02be0 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4312] 000000005fbb0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4312] 00000000636e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4312] 00000000726c0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\WXPNSE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4312] 00000000725b0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1045\OSFINTL.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE [4312] 0000000072570000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833881639792280@SetupOperations ???f?????????????h???????????????e???????s???????e???????????????e???????????n????????R?????????????????????volume_snapshot_install??????????????i??s0????????????????????B?????????????????6-21-2006???5&32474d1b&0?h??wpdfs.inf:Microsoft.NTamd64:Basic_Install:6.1.7600.16385:wpdbusenum\fs???????????????o??: ???????????????s??????Ho??????????{725eb9f3-2171-54eb-8c12-997dc32b2d1e}?ge\???????????p?????????t\D???k?k?k?k?k?k?k?k?k?l?k??General ?f,%microsoftmfg%;Microsoft?????WUDFCoInstaller.dll??E??{4eff0956-fbd7-5a0f-a10a-2b900d56325c}???????????????????????????p????????????|?????????????????????????v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|LPort=3389|App=System|Name=@FirewallAPI.dll,-28753|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|?u???&???????????????????????????.???????????????????S??nd????????????????????????????????????????Z?????????????????HID\VID_248A&PID_8366&Col01\6&4b69562&0&0000????????????????????????\\?\HID#VID_248A&PID_8366&Col01#6&4b69562&0&0000#{378de44c-56ef-11d1-bc8c-0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833882271262280@SetupOperations ???h?????????????????????????????????????g?h?g??????t????y?y???????g?&???h?y????????????????????????????????Microsoft???? ???g???????????????????i??????p?????,????????????e????????????EHCI.Dev?????k?k?l????P??h?????????n????Microsoft???LocalSystem?????@%systemroot%\system32\wkssvc.dll,-1004??????h?h??????4??h????????h?????????????????t????????????????????n????2??h????????h?????????????????????????????????????????????.s?????????????g?????????????l???????l???k?l.s???????????????????h?jos?????????????????????????h?&??OHCI.Dev?????h?h?g??????????Ndi-Mp-Sstp?st??????????? ???????????d???f??7d???????????????????????????? ??h???$???$??????????????t???????????????????? ~??????j?????g?????[?m???????????????????Snd???????e???????????????d???$???9???h???????????????????????????????????????????????????g???????????????????????????l?l?????????`???0???S??ms_sstpminiport?or???????????S?????s_E???????{???a??ss???????????D?????sCK??volsnap?L?????N??y???r????D?\????g?h?????????????_??????S_???p?pna???????????????????????h????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833881639792280@SetupOperations ????????? l??????e??????D???\??\USB#VID_0581&PID_0101#5&18f9b6c&0&4#{a5dcbf10-6530-11d2-901f-00c04fb951ed}??input.inf:Standard.NTamd64:HID_Inst:6.1.7601.18199::generic_hid_device:usb\class_03&subclass_01:usb\class_03?0????????????????L??????????????????????k???????????????7?7?8?;?T?T?T?T?6?@?P??\??\USB#VID_058F&PID_6387#008821EA#{a5dcbf10-6530-11d2-901f-00c04fb951ed}???AppEx Networks Accelerator NDIS Light-Weighted Filter Driver????mshdc.inf_amd64_neutral_a69a58a4286f0b22????Mass storage ?devicename%;Sterownik woluminu systemu plik?w WPD??????RAW??????P?>?T?T?T?T?T?P?@?T?T?T?P??{36fc9e60-c465-11cf-8056-444553540000}\0047?????????????? ??B???usbstor.inf:Generic.NTamd64:USBSTOR_BULK:6.1.7601.19144:usb\class_08&subclass_06&prot_50????@usbstor.inf,%generic.mfg%;Zgodne urz?dzenie magazynuj?ce USB???machine.inf_amd64_neutral_9e6bb86c3b39a3e9????????(??????7????e?????MONITOR\DELA07E?????C:\ProgramData\Microsoft\WPD\USB#VID_0421&PID_06FC&MI_00#6&1B5575BB&0&0000.ico??????@input.inf,%stdmfg%;(Standardowe urz?dzenia Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833882271262280@SetupOperations ????????? ?????????????????????m?????????????????f??? ?????????????????????0??L????????? ??????/?/??????????? ?????????????????????*????????????&???????????????????????? ?????????????????????0????????????&????????????????????i??? ?????????????????????0????????????????????? ???????????????????h?0????????????????????? ?????????????????????0????????????????????????????????????T???????????? ?????????????????????0??????????????????????????????????-100??? ???????????????????7?0????????????????????6.1.7601.18199?P?3??{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\0000???????????n??????}?g????????????? ???????6?????????????m??&??????????????E????????V??????y???????????????j???????????????????t???????????????????????????g???????????l???????l???????????l???????s????????*??????g?????????nu????????????v?????t????? ???????c??????e9?????????????????x?i?????????????????????????????????y????? ?????????????????????,??????*????????yst???????????r???e??? ???????}??????????? ???????v??????????? ??????????????????????