GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-09 20:30:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3500418AS rev.CC38 465,76GB Running: gmer.exe; Driver: C:\Users\Xxx\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000772f1401 2 bytes JMP 7679b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000772f1419 2 bytes JMP 7679b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000772f1431 2 bytes JMP 76818ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000772f144a 2 bytes CALL 767748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772f14dd 2 bytes JMP 768187a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772f14f5 2 bytes JMP 76818978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000772f150d 2 bytes JMP 76818698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000772f1525 2 bytes JMP 76818a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000772f153d 2 bytes JMP 7678fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000772f1555 2 bytes JMP 767968ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000772f156d 2 bytes JMP 76818f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000772f1585 2 bytes JMP 76818ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000772f159d 2 bytes JMP 7681865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772f15b5 2 bytes JMP 7678fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772f15cd 2 bytes JMP 7679b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772f16b2 2 bytes JMP 76818e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Xxx\AppData\Roaming\uTorrent\uTorrent.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772f16bd 2 bytes JMP 768185f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000748917fa 2 bytes CALL 767711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074891860 2 bytes CALL 767711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074891942 2 bytes JMP 77547089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007489194d 2 bytes JMP 7754cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000772f1401 2 bytes JMP 7679b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000772f1419 2 bytes JMP 7679b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000772f1431 2 bytes JMP 76818ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000772f144a 2 bytes CALL 767748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772f14dd 2 bytes JMP 768187a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772f14f5 2 bytes JMP 76818978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000772f150d 2 bytes JMP 76818698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000772f1525 2 bytes JMP 76818a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000772f153d 2 bytes JMP 7678fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000772f1555 2 bytes JMP 767968ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000772f156d 2 bytes JMP 76818f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000772f1585 2 bytes JMP 76818ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000772f159d 2 bytes JMP 7681865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772f15b5 2 bytes JMP 7678fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772f15cd 2 bytes JMP 7679b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772f16b2 2 bytes JMP 76818e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772f16bd 2 bytes JMP 768185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000772f1401 2 bytes JMP 7679b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000772f1419 2 bytes JMP 7679b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000772f1431 2 bytes JMP 76818ea9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000772f144a 2 bytes CALL 767748ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000772f14dd 2 bytes JMP 768187a2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000772f14f5 2 bytes JMP 76818978 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000772f150d 2 bytes JMP 76818698 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000772f1525 2 bytes JMP 76818a62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000772f153d 2 bytes JMP 7678fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000772f1555 2 bytes JMP 767968ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000772f156d 2 bytes JMP 76818f61 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000772f1585 2 bytes JMP 76818ac2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000772f159d 2 bytes JMP 7681865c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000772f15b5 2 bytes JMP 7678fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000772f15cd 2 bytes JMP 7679b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000772f16b2 2 bytes JMP 76818e24 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\utilRoundWorld.exe[1480] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000772f16bd 2 bytes JMP 768185f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000772f1401 2 bytes JMP 7679b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000772f1419 2 bytes JMP 7679b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000772f1431 2 bytes JMP 76818ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000772f144a 2 bytes CALL 767748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772f14dd 2 bytes JMP 768187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772f14f5 2 bytes JMP 76818978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000772f150d 2 bytes JMP 76818698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000772f1525 2 bytes JMP 76818a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000772f153d 2 bytes JMP 7678fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000772f1555 2 bytes JMP 767968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000772f156d 2 bytes JMP 76818f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000772f1585 2 bytes JMP 76818ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000772f159d 2 bytes JMP 7681865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772f15b5 2 bytes JMP 7678fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772f15cd 2 bytes JMP 7679b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772f16b2 2 bytes JMP 76818e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.expext.exe[5068] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772f16bd 2 bytes JMP 768185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000772f1401 2 bytes JMP 7679b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000772f1419 2 bytes JMP 7679b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000772f1431 2 bytes JMP 76818ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000772f144a 2 bytes CALL 767748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772f14dd 2 bytes JMP 768187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772f14f5 2 bytes JMP 76818978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000772f150d 2 bytes JMP 76818698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000772f1525 2 bytes JMP 76818a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000772f153d 2 bytes JMP 7678fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000772f1555 2 bytes JMP 767968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000772f156d 2 bytes JMP 76818f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000772f1585 2 bytes JMP 76818ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000772f159d 2 bytes JMP 7681865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772f15b5 2 bytes JMP 7678fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772f15cd 2 bytes JMP 7679b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772f16b2 2 bytes JMP 76818e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Round World\bin\RoundWorld.BrowserAdapter.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772f16bd 2 bytes JMP 768185f1 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_onexit] [3d736f7074756f79] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_lock] [6c2022656e6f6e22] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__dllonexit] [72223d74756f7961] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_unlock] [74756f79616c776f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!?terminate@@YAXXZ] [7020222930373128] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [223d676e69646461] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_amsg_exit] [7072302874636572] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_initterm] [7072302c7072302c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_XcptFilter] [d3e22297072372c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memset] [3d7373616c632074] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!malloc] [746e6f635f706322] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcsstr] [747865745f746e65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_ui64tow] [6e65746e6f632022] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!vswprintf_s] [7473736572223d74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vscwprintf] [2229313835312872] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wcsicmp] [223d687464697720] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstok_s] [3e2f227072303531] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!iswspace] [656d656c653c0a0d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcmp] [756f79616c20746e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy] [6564726f62223d74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstol] [2874756f79616c72] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcscspn] [756f79616c202229] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!calloc] [6c63223d736f7074] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!free] [a0d3e22746e6569] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memmove_s] [206e6f747475623c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy_s] [63223d7373616c63] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wsplitpath_s] [6e65746e6f635f70] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vsnwprintf] [20226b6e696c5f74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!sqrtf] [223d657669746361] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!logf] [656b7c6573756f6d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__CxxFrameHandler3] [20226472616f6279] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_CxxThrowException] [6d6f7461223d6469] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!ceilf] [6574697362655728] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleW] [736f7074756f7961] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateToolhelp32Snapshot] [746e65696c63223d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentThreadId] [6e65746e6f632022] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Sleep] [7473736572223d74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareStringOrdinal] [2229323835312872] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersion] [6c652f3c0a0d3e2f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalFree] [a0d3e746e656d65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetLastError] [6e656d656c652f3c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeactivateActCtx] [6c652f3c0a0d3e74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLastError] [a0d3e746e656d65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryW] [6e656d656c652f3c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcAddress] [6c652f3c0a0d3e74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ActivateActCtx] [a0d3e746e656d65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindActCtxSectionStringW] [746e656d656c653c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateActCtxW] [7074756f79616c20] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleFileNameW] [22706f74223d736f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleExW] [3d74756f79616c20] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryActCtxW] [6c726564726f6222] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OutputDebugStringA] [22292874756f7961] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CloseHandle] [302874636572223d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForSingleObject] [6e61707865206f72] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateEventW] [726f666e69223d64] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetEvent] [65736e6f6974616d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeleteFileW] [7469746e6f697463] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareFileTime] [623c0a0d3e22656c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrlenW] [6e6e6f6320646e69] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFileAttributesW] [746954223d746365] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateFileW] [746e6f632022656c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalFree] [736572223d746e65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateThread] [3534353128727473] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalAlloc] [2f3c0a0d3e2f2229] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpW] [a0d3e6f7263616d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpiW] [746e656d656c653c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FreeLibrary] [7074756f79616c20] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SizeofResource] [22706f74223d736f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LockResource] [3d74756f79616c20] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadResource] [6c726564726f6222] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceW] [22292874756f7961] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceExW] [676e696464617020] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileAttributesW] [322874636572223d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTime] [2c7072302c707230] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToTzSpecificLocalTime] [297072302c707230] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForMultipleObjects] [656c653c0a0d3e22] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToSystemTime] [79616c20746e656d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalAlloc] [223d736f7074756f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalReAlloc] [7720227468676972] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToFileTime] [3231223d68746469] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTickCount] [79616c2022707230] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32FirstW] [726f62223d74756f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReadFile] [756f79616c726564] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WriteFile] [6461702022292874] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFilePointerEx] [6572223d676e6964] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FlushFileBuffers] [302c707235287463] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileInformationByHandle] [302c7072302c7072] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalSize] [3c0a0d3e22297072] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalLock] [657461676976614e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalUnlock] [69206e6f74747542] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcessId] [286d6f7461223d64] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToLocalFileTime] [655365676e616843] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDateFormatW] [6c4573676e697474] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTimeFormatW] [202229746e656d65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FormatMessageW] [6f7074756f79616c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReleaseActCtx] [2022706f74223d73] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [223d74756f79616c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DosDateTimeToFileTime] [616c726564726f62] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!EnumUILanguagesW] [2022292874756f79] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetUserDefaultUILanguage] [223d726f73727563] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLocaleInfoW] [68732022646e6168] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDriveTypeW] [75636578656c6c65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessHeap] [79735c5c25726964] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapFree] [5c5c32336d657473] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DisableThreadLibraryCalls] [72706d6574737973] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemDirectoryW] [736569747265706f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetNumberFormatW] [72657475706d6f63] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!MulDiv] [6578652e656d616e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTempPathW] [7475623c0a0d3e22] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateDirectoryW] [65656873206e6f74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TzSpecificLocalTimeToSystemTime] [61544c5043223d74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceCounter] [7974536275486b73] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceFrequency] [73616c632022656c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ResetEvent] [6c65696853223d73] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryExA] [6c20226e6f634964] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DelayLoadFailureHook] [736f7074756f7961] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapDestroy] [20227466656c223d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RaiseException] [74656d737973202c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersionExA] [2c29393428636972] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [7274656d73797320] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TerminateProcess] [202c293035286369] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcess] [287972617262696c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!UnhandledExceptionFilter] [7365726567616d69] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [202229296c6c642e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlVirtualUnwind] [3d676e6964646170] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlLookupFunctionEntry] [7230287463657222] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlCaptureContext] [72302c7072302c70] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32NextW] [2022297072302c70] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OpenProcess] [223d657669746361] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessTimes] [6120226573756f6d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptAcquireContextW] [2263696870617267] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptImportKey] [656d616e63636120] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptCreateHash] [727473736572223d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptHashData] [6120222930303328] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptSignHashW] [6c62697373656363] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyHash] [2265757274223d65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyKey] [656c653c0a0d3e2f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptReleaseContext] [79616c20746e656d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegCloseKey] [2874756f79616c77] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegOpenKeyExW] [756f79616c202229] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegQueryValueExW] [656c223d736f7074] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegEnumKeyW] [6563636120227466] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetDeviceCaps] [6b7c6573756f6d22] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteDC] [226472616f627965] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPoint32W] [6f7461223d646920] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetStockObject] [6e6f74747542286d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPointW] [655365676e616843] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateDIBSection] [222973676e697474] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteObject] [746e65746e6f6320] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateCompatibleDC] [727473736572223d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrRetToBufW] [6572223d6e6f6974] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetThreadRef] [3835312872747373] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHRegGetValueW] [746e656d656c652f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrIW] [7475426574616769] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathCombineW] [6f62223d74756f79] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpIW] [72223d676e696464] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrW] [2c70723028746365] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCSpnW] [2c7072302c707230] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindFileNameW] [a0d3e2229707230] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrFormatByteSizeW] [746e656d656c653c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpW] [7074756f79616c20] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetValueW] [22706f74223d736f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpLogicalW] [6f79616c776f7222] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveBlanksW] [2229393631287475] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocQueryKeyW] [676e696464617020] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveExtensionW] [302874636572223d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHStrDupW] [302c7072302c7072] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathStripPathW] [22297072382c7072] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAddBackslashW] [6d656c653c0a0d3e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAppendW] [73616c6320746e65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocCreate] [6f635f7063223d73] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindExtensionW] [65745f746e65746e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveFileSpecW] [3734353128727473] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnregisterClassA] [656c653c0a0d3e2f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DialogBoxParamW] [3d646920746e656d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!InsertMenuW] [6f43286d6f746122] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CharNextW] [614e72657475706d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RemoveMenu] [616c63202229656d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSubMenu] [635f7063223d7373] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!TrackPopupMenu] [745f746e65746e6f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetFocus] [6e6f632022747865] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetForegroundWindow] [6572223d746e6574] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetForegroundWindow] [3435312872747373] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetShellWindow] [3c0a0d3e2f222938] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadMenuW] [746e656d656c652f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyMenu] [6d656c653c0a0d3e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadStringW] [6f79616c20746e65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageW] [74223d736f707475] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassNameW] [6f79616c2022706f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetMenuDefaultItem] [6c776f72223d7475] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadIconW] [36312874756f7961] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowTextW] [6464617020222939] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetDlgItemTextW] [636572223d676e69] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EndDialog] [72302c7072302874] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgItem] [72382c7072302c70] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongPtrW] [653c0a0d3e222970] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongPtrW] [6320746e656d656c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsDlgButtonChecked] [7063223d7373616c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnhookWindowsHookEx] [746e65746e6f635f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendDlgItemMessageW] [632022747865745f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CheckDlgButton] [223d746e65746e6f] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EnableWindow] [3128727473736572] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ShowWindow] [6977202229393435] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongW] [303531223d687464] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongW] [3c0a0d3e2f227072] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClientRect] [20746e656d656c65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSystemMetrics] [6d6f7461223d6469] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadImageW] [6d6f436c6c754628] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetParent] [6d614e7265747570] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsChild] [73616c6320222965] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CallNextHookEx] [6f635f7063223d73] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CreateWindowExW] [65745f746e65746e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowPos] [746e6f6320227478] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowsHookExW] [736572223d746e65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDC] [3035353128727473] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ReleaseDC] [2f3c0a0d3e2f2229] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowRect] [3e746e656d656c65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ScreenToClient] [656d656c653c0a0d] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetTimer] [756f79616c20746e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!KillTimer] [6f74223d736f7074] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!PostMessageW] [756f79616c202270] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgCtrlID] [616c776f72223d74] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyIcon] [3936312874756f79] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowTextW] [6964646170202229] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CopyImage] [74636572223d676e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSysColor] [7072302c70723028] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetCursorPos] [7072382c7072302c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassInfoW] [6c6320746e656d65] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadCursorW] [5f7063223d737361] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClassW] [5f746e65746e6f63] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!FindWindowW] [6f63202274786574] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindow] [72223d746e65746e] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowThreadProcessId] [3531287274737365] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageTimeoutW] [6469772022293135] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SwitchToThisWindow] [72303531223d6874] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetLastActivePopup] [653c0a0d3e2f2270] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyWindow] [6920746e656d656c] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClipboardFormatW] [286d6f7461223d64] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemInfoW] [72657475706d6f43] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemCount] [7470697263736544] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeSetEvent] [5f7063223d737361] IAT C:\Windows\Explorer.EXE[1644] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeKillEvent] [5f746e65746e6f63] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2316:3364] 000007fef2619688 ---- Processes - GMER 2.1 ---- Library C:\Users\Xxx\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1644] (GG drive menu/GG Network S.A.)(2013-09 000000005ff80000 ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\RAC\Temp\sql1E4.tmp 20480 bytes File C:\ProgramData\Microsoft\RAC\Temp\sql31D.tmp 20480 bytes ---- EOF - GMER 2.1 ----