GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-15 21:18:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005c Hitachi_ rev.PB4O 465,76GB Running: xx72kste.exe; Driver: C:\Users\Ewa\AppData\Local\Temp\axtdqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Object Browser\bf10b529-f509-4a81-9303-66fc243bbaa6-6.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pidgin\pidgin.exe[4092] C:\Program Files (x86)\Pidgin\plugins\.dll!purple_init_plugin + 9 00000000651e1f95 4 bytes [20, B0, AC, 68] .text C:\Program Files (x86)\Pidgin\pidgin.exe[4092] C:\Program Files (x86)\Pidgin\plugins\.dll!purple_init_plugin + 130 00000000651e200e 4 bytes [20, B0, AC, 68] .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\IQIYI Video\LStyle\QyKernel.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4528] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[4604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[6844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000763b1401 2 bytes JMP 75ebb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000763b1419 2 bytes JMP 75ebb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000763b1431 2 bytes JMP 75f38f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000763b144a 2 bytes CALL 75e94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763b14dd 2 bytes JMP 75f38832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763b14f5 2 bytes JMP 75f38a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000763b150d 2 bytes JMP 75f38728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000763b1525 2 bytes JMP 75f38af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000763b153d 2 bytes JMP 75eafc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000763b1555 2 bytes JMP 75eb68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000763b156d 2 bytes JMP 75f38ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000763b1585 2 bytes JMP 75f38b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000763b159d 2 bytes JMP 75f386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763b15b5 2 bytes JMP 75eafd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763b15cd 2 bytes JMP 75ebb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763b16b2 2 bytes JMP 75f38eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[5572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763b16bd 2 bytes JMP 75f38681 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x76 0xBE 0xDA 0x74 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x76 0xBE 0xDA 0x74 ... ---- EOF - GMER 2.1 ----