GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-08 23:36:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 CT250BX100SSD1 rev.MU02 232,89GB Running: f3fmmug7.exe; Driver: C:\Users\japcun\AppData\Local\Temp\fwrdipoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\SideSync4\SideSync.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe[1740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\MSI\Fast Boot\FastBoot.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[3048] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\SysWOW64\ntdll.dll!RtlPcToFileHeader 0000000077ab08b3 7 bytes JMP 0000000004315c60 .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\svchost.exe[5108] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[732] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077689010 4 bytes [C3, 00, 00, 00] .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\steam.exe[5304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a41401 2 bytes JMP 770eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a41419 2 bytes JMP 770eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a41431 2 bytes JMP 771690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a4144a 2 bytes CALL 770c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a414dd 2 bytes JMP 771689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a414f5 2 bytes JMP 77168bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a4150d 2 bytes JMP 771688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a41525 2 bytes JMP 77168caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a4153d 2 bytes JMP 770dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a41555 2 bytes JMP 770e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a4156d 2 bytes JMP 771691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a41585 2 bytes JMP 77168d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a4159d 2 bytes JMP 771688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a415b5 2 bytes JMP 770dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a415cd 2 bytes JMP 770eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a416b2 2 bytes JMP 7716906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a416bd 2 bytes JMP 77168839 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800101ce94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800101cc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800101d654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800101da50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800101d8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80070072c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80070072c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80070072c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80070072c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80070072c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80070072c0 Device \FileSystem\Ntfs \Ntfs fffffa800700f2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007fd72c0 Device \Driver\cdrom \Device\CdRom0 fffffa80078d02c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007fd72c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007fd72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FA69C24B-5DF0-4AD3-8B5F-514D3C5BDCEC} fffffa8007b5b2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007b5b2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80070072c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007fd72c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80070072c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80070072c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80070072c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80070072c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80076b5060] fffffa80076b5060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa80072ab060] fffffa80072ab060 Trace \Driver\atapi[0xfffffa80070d35e0] -> IRP_MJ_CREATE -> 0xfffffa80070072c0 fffffa80070072c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\SysWOW64\svchost.exe [3048:3156] 00000000000c191f Thread C:\Windows\SysWOW64\svchost.exe [3048:3164] 00000000000c2f9a Thread C:\Windows\SysWOW64\svchost.exe [3048:5104] 00000000000c14a5 Thread C:\Windows\SysWOW64\svchost.exe [5108:3724] 000000000008191f Thread C:\Windows\SysWOW64\svchost.exe [5108:2160] 0000000000082f9a Thread C:\Windows\SysWOW64\svchost.exe [5108:4644] 000000000433d641 Thread C:\Windows\SysWOW64\svchost.exe [5108:4692] 000000000463a4e0 Thread C:\Windows\SysWOW64\svchost.exe [5108:4684] 000000000463a4e0 Thread C:\Windows\SysWOW64\svchost.exe [5108:3864] 000000000463a4e0 Thread C:\Windows\SysWOW64\svchost.exe [5108:4132] 000000000463a4e0 Thread C:\Windows\SysWOW64\svchost.exe [5108:4128] 000000000463a4e0 Thread C:\Windows\SysWOW64\svchost.exe [5108:1292] 000000000463a4e0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4472:5196] 000007fefbc92af4 Thread C:\Windows\System32\svchost.exe [4704:4912] 000007fef1dd9688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x08 0xC7 0xCC 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x08 0xC7 0xCC 0x85 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- EOF - GMER 2.2 ----