GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2018-09-14 10:09:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 ST1000DM003-1SB10C rev.CC43 931,51GB Running: gmer.exe; Driver: C:\Users\LB-Dawid\AppData\Local\Temp\ugtyrkob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077375be0 13 bytes {MOV R11, 0x7fef04bffa0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2932] C:\Windows\system32\kernel32.dll!BaseThreadInitThunk 00000000772459b0 11 bytes [49, BB, 00, 0A, 4C, F0, FE, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2932] C:\Windows\system32\kernel32.dll!BaseThreadInitThunk + 12 00000000772459bc 1 byte {JMP RBX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2932] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077249010 13 bytes {MOV R11, 0x7feec354bd8; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2932] C:\Windows\system32\kernel32.dll!RtlInstallFunctionTableCallback 000000007727ba30 13 bytes {MOV R11, 0x7fef04c9ad0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2932] C:\Windows\system32\user32.dll!GetWindowInfo 0000000077148b40 13 bytes {MOV R11, 0x7feec076230; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077375be0 13 bytes {MOV R11, 0x7fef04bffa0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3040] C:\Windows\system32\kernel32.dll!BaseThreadInitThunk 00000000772459b0 11 bytes [49, BB, 00, 0A, 4C, F0, FE, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3040] C:\Windows\system32\kernel32.dll!BaseThreadInitThunk + 12 00000000772459bc 1 byte {JMP RBX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3040] C:\Windows\system32\kernel32.dll!RtlInstallFunctionTableCallback 000000007727ba30 13 bytes {MOV R11, 0x7fef04c9ad0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077375be0 13 bytes {MOV R11, 0x7fef04bffa0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007739bc00 7 bytes [48, B8, 10, 02, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007739bc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007739bd70 7 bytes [48, B8, 40, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007739bd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007739bd90 7 bytes [48, B8, 90, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007739bd98 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007739bda0 7 bytes [48, B8, E0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007739bda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007739be20 7 bytes [48, B8, 70, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007739be28 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007739be30 7 bytes [48, B8, E0, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007739be38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739be60 7 bytes [48, B8, 00, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007739be68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007739bf00 7 bytes [48, B8, A0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007739bf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739c080 7 bytes [48, B8, A0, FE, 95, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007739c088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007739caf0 7 bytes [48, B8, C0, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007739caf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007739cb40 7 bytes [48, B8, 10, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007739cb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007739cc90 7 bytes [48, B8, C0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007739cc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077375be0 13 bytes {MOV R11, 0x7fef04bffa0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007739bc00 7 bytes [48, B8, 10, 02, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007739bc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007739bd70 7 bytes [48, B8, 40, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007739bd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007739bd90 7 bytes [48, B8, 90, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007739bd98 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007739bda0 7 bytes [48, B8, E0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007739bda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007739be20 7 bytes [48, B8, 70, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007739be28 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007739be30 7 bytes [48, B8, E0, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007739be38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739be60 7 bytes [48, B8, 00, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007739be68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007739bf00 7 bytes [48, B8, A0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007739bf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739c080 7 bytes [48, B8, A0, FE, 95, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007739c088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007739caf0 7 bytes [48, B8, C0, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007739caf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007739cb40 7 bytes [48, B8, 10, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007739cb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007739cc90 7 bytes [48, B8, C0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007739cc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077375be0 13 bytes {MOV R11, 0x7fef04bffa0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007739bc00 7 bytes [48, B8, 10, 02, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 000000007739bc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 000000007739bd70 7 bytes [48, B8, 40, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 000000007739bd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007739bd90 7 bytes [48, B8, 90, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 000000007739bd98 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007739bda0 7 bytes [48, B8, E0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 000000007739bda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 000000007739be20 7 bytes [48, B8, 70, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 000000007739be28 7 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 000000007739be30 7 bytes [48, B8, E0, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 000000007739be38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007739be60 7 bytes [48, B8, 00, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007739be68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007739bf00 7 bytes [48, B8, A0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007739bf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007739c080 7 bytes [48, B8, A0, FE, 95, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007739c088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007739caf0 7 bytes [48, B8, C0, 00, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 000000007739caf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007739cb40 7 bytes [48, B8, 10, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 000000007739cb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007739cc90 7 bytes [48, B8, C0, 01, 96, 3F, 01] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007739cc98 6 bytes {ADD [RAX], AL; JMP RAX} .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 7562b263 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 7562b38e C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 756a90f1 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 756048ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 756a89ea C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 756a8bc0 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 756a88e0 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 756a8caa C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 7561fce8 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 75626937 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 756a91a9 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 756a8d0a C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 756a88a4 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 7561fd81 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 7562b324 C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 756a906c C:\Windows\syswow64\KERNEL32.dll .text c:\Program Files (x86)\McNeelUpdate\5.0\McNeelUpdateService.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 756a8839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755e1401 2 bytes JMP 7562b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755e1419 2 bytes JMP 7562b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755e1431 2 bytes JMP 756a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755e144a 2 bytes CALL 756048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755e14dd 2 bytes JMP 756a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755e14f5 2 bytes JMP 756a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755e150d 2 bytes JMP 756a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755e1525 2 bytes JMP 756a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755e153d 2 bytes JMP 7561fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755e1555 2 bytes JMP 75626937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755e156d 2 bytes JMP 756a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755e1585 2 bytes JMP 756a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755e159d 2 bytes JMP 756a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755e15b5 2 bytes JMP 7561fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755e15cd 2 bytes JMP 7562b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755e16b2 2 bytes JMP 756a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[3628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755e16bd 2 bytes JMP 756a8839 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Dropbox\Client\DropboxExt64.23.0.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1940] 000007fef86f0000 ---- Files - GMER 2.2 ---- File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\53B76918-0014-4868-AAAE-21E7520C2B13 0 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{5FD9F583-7758-4261-83BB-F62296A7FB50} (0) - 6964 - powerpnt.exe - OTele.dat 1283 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{8AE3E503-EE29-46EE-9777-360FF0B81AF1} (0) - 3916 - excel.exe - OTele.dat 128 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{8AE3E503-EE29-46EE-9777-360FF0B81AF1} (0) - 3916 - excel.exe - OTeleMediumCost.dat 184 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{8AE3E503-EE29-46EE-9777-360FF0B81AF1} (1) - 3916 - excel.exe - OTele.dat 151 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{8AE3E503-EE29-46EE-9777-360FF0B81AF1} (1) - 3916 - excel.exe - OTeleMediumCost.dat 662 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{8AE3E503-EE29-46EE-9777-360FF0B81AF1} (2) - 3916 - excel.exe - OTele.dat 311 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{8AE3E503-EE29-46EE-9777-360FF0B81AF1} (2) - 3916 - excel.exe - OTeleMediumCost.dat 614 bytes File C:\Users\LB-Dawid\AppData\Local\Microsoft\Office\OTele\{8AE3E503-EE29-46EE-9777-360FF0B81AF1} (3) - 3916 - excel.exe - OTele.dat 6097 bytes File C:\Users\LB-Dawid\AppData\Roaming\Mozilla\Firefox\Profiles\lgst2td7.dawid\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm 0 bytes File C:\Users\LB-Dawid\AppData\Roaming\Mozilla\Firefox\Profiles\lgst2td7.dawid\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal 0 bytes File C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\114badb8cb66a87b435f289d6b037f9b24261e2d.HomeGroupClassifier\69a8378b4df0d56f466db82d21cd851a\grouping\edb00616.log 262144 bytes File C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\114badb8cb66a87b435f289d6b037f9b24261e2d.HomeGroupClassifier\69a8378b4df0d56f466db82d21cd851a\grouping\edb00617.log 0 bytes ---- EOF - GMER 2.2 ----