GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-29 00:32:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD6400BEVT-80A0RT0 rev.01.01A01 596,17GB Running: wgxnlu5r.exe; Driver: C:\Users\Krystian\AppData\Local\Temp\fgloqpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000193f00 7 bytes [00, 98, F3, FF, 01, A6, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000193f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\IePluginService\PluginService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\ProgramData\IePluginService\PluginService.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077621510 6 bytes {JMP QWORD [RIP+0x8b1eb20]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776215e0 6 bytes {JMP QWORD [RIP+0x8b5ea50]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077621800 6 bytes {JMP QWORD [RIP+0x8b3e830]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776218b0 6 bytes {JMP QWORD [RIP+0x8ade780]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077621e40 6 bytes {JMP QWORD [RIP+0x8afe1f0]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776227e0 6 bytes {JMP QWORD [RIP+0x8b7d850]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773cdb80 6 bytes {JMP QWORD [RIP+0x8df24b0]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 79000026 .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff7155c8 6 bytes {JMP QWORD [RIP+0x21aa68]} .text C:\Windows\system32\taskhost.exe[2484] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff72b85c 6 bytes {JMP QWORD [RIP+0x1e47d4]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077621510 6 bytes {JMP QWORD [RIP+0x8b1eb20]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776215e0 6 bytes {JMP QWORD [RIP+0x8b5ea50]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077621800 6 bytes {JMP QWORD [RIP+0x8b3e830]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776218b0 6 bytes {JMP QWORD [RIP+0x8ade780]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077621e40 6 bytes {JMP QWORD [RIP+0x8afe1f0]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776227e0 6 bytes {JMP QWORD [RIP+0x8b7d850]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773cdb80 6 bytes {JMP QWORD [RIP+0x8df24b0]} .text C:\Windows\system32\Dwm.exe[2672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077621510 6 bytes {JMP QWORD [RIP+0x8b1eb20]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776215e0 6 bytes {JMP QWORD [RIP+0x8b5ea50]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077621800 6 bytes {JMP QWORD [RIP+0x8b3e830]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776218b0 6 bytes JMP be3e3e3e .text C:\Windows\Explorer.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077621e40 6 bytes {JMP QWORD [RIP+0x8afe1f0]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776227e0 6 bytes {JMP QWORD [RIP+0x8b7d850]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773cdb80 6 bytes {JMP QWORD [RIP+0x8df24b0]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007feeff25cd0 6 bytes {JMP QWORD [RIP+0xdfa360]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\msi.dll!MsiInstallProductA 000007feeffa0f20 6 bytes {JMP QWORD [RIP+0xd3f110]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\msi.dll!MsiInstallProductW 000007feeffafaa8 6 bytes {JMP QWORD [RIP+0xd50588]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefb137b34 6 bytes {JMP QWORD [RIP+0x2284fc]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefb1403c0 6 bytes {JMP QWORD [RIP+0x29fc70]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefee63030 6 bytes JMP 50a8b8 .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefee645c1 5 bytes {JMP QWORD [RIP+0x43ba70]} .text C:\Windows\Explorer.EXE[2716] C:\Windows\system32\WS2_32.dll!listen 000007fefee68290 6 bytes JMP 0 .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077621510 6 bytes {JMP QWORD [RIP+0x8b1eb20]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776215e0 6 bytes {JMP QWORD [RIP+0x8b5ea50]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077621800 6 bytes {JMP QWORD [RIP+0x8b3e830]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776218b0 6 bytes {JMP QWORD [RIP+0x8ade780]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077621e40 6 bytes {JMP QWORD [RIP+0x8afe1f0]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776227e0 6 bytes {JMP QWORD [RIP+0x8b7d850]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773cdb80 6 bytes {JMP QWORD [RIP+0x8df24b0]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd729055 3 bytes CALL 9000027 .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefee63030 6 bytes {JMP QWORD [RIP+0x45d000]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefee645c1 5 bytes {JMP QWORD [RIP+0x41ba70]} .text C:\Windows\WindowsMobile\wmdc.exe[2928] C:\Windows\system32\WS2_32.dll!listen 000007fefee68290 6 bytes {JMP QWORD [RIP+0x437da0]} .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000777cfc20 3 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 00000000777cfc24 2 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777cfd64 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777cfd68 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777d00b4 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777d00b8 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777d01c4 3 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000777d01c8 2 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000777d0a44 3 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000777d0a48 2 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777d1920 3 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 00000000777d1924 2 bytes JMP 717b000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076073bbb 3 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076073bbf 2 bytes JMP 7178000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075742c91 4 bytes CALL 71af0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076229679 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762312a5 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076233baa 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007623612e 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!SendInput 000000007624ff4a 3 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007624ff4e 2 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!mouse_event 000000007628027b 6 bytes JMP 71a5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762802bf 6 bytes JMP 71a2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000752670c4 6 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[2156] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075283264 6 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000777cfc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 00000000777cfc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777cfd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777cfd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777d00b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777d00b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777d01c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000777d01c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000777d0a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000777d0a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777d1920 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 00000000777d1924 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076073bbb 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076073bbf 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075742c91 4 bytes CALL 71af0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076229679 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762312a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076233baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007623612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!SendInput 000000007624ff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007624ff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!mouse_event 000000007628027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762802bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000752670c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2424] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075283264 6 bytes JMP 7196000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000777cfc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 00000000777cfc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777cfd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777cfd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777d00b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777d00b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777d01c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000777d01c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000777d0a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000777d0a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777d1920 3 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 00000000777d1924 2 bytes JMP 7181000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076073bbb 3 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076073bbf 2 bytes JMP 717e000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075742c91 4 bytes CALL 71af0000 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076229679 6 bytes JMP 719f000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762312a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076233baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007623612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!SendInput 000000007624ff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007624ff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!mouse_event 000000007628027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762802bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000752670c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[2440] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075283264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000777cfc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 00000000777cfc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777cfd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777cfd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777d00b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777d00b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777d01c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000777d01c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000777d0a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000777d0a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777d1920 3 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 00000000777d1924 2 bytes JMP 7181000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076073bbb 3 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076073bbf 2 bytes JMP 717e000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075742c91 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000752670c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075283264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076229679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762312a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076233baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007623612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!SendInput 000000007624ff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007624ff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!mouse_event 000000007628027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3264] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762802bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077621510 6 bytes {JMP QWORD [RIP+0x8b1eb20]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776215e0 6 bytes {JMP QWORD [RIP+0x8b5ea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077621800 6 bytes {JMP QWORD [RIP+0x8b3e830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4060] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000776218b0 6 bytes {JMP QWORD [RIP+0x8ade780]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077621e40 6 bytes {JMP QWORD [RIP+0x8afe1f0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000776227e0 6 bytes {JMP QWORD [RIP+0x8b7d850]} .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000777cfc20 3 bytes JMP 718a000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 00000000777cfc24 2 bytes JMP 718a000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000777cfd64 3 bytes JMP 7184000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 00000000777cfd68 2 bytes JMP 7184000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000777d00b4 3 bytes JMP 7187000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000777d00b8 2 bytes JMP 7187000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000777d01c4 3 bytes JMP 7190000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000777d01c8 2 bytes JMP 7190000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000777d0a44 3 bytes JMP 718d000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 00000000777d0a48 2 bytes JMP 718d000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000777d1920 3 bytes JMP 7181000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 00000000777d1924 2 bytes JMP 7181000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076073bbb 3 bytes JMP 717e000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076073bbf 2 bytes JMP 717e000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075742c91 4 bytes CALL 71af0000 .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076229679 6 bytes JMP 719f000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000762312a5 6 bytes JMP 7199000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076233baa 6 bytes JMP 719c000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007623612e 6 bytes JMP 71a2000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!SendInput 000000007624ff4a 3 bytes JMP 71a5000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007624ff4e 2 bytes JMP 71a5000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!mouse_event 000000007628027b 6 bytes JMP 71ab000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\USER32.dll!keybd_event 00000000762802bf 6 bytes JMP 71a8000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000752670c4 6 bytes JMP 7193000a .text C:\Users\Krystian\Desktop\wgxnlu5r.exe[3160] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075283264 6 bytes JMP 7196000a ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [372:2088] 000007fef21320c0 Thread C:\Windows\System32\svchost.exe [372:2112] 000007fef21326a8 Thread C:\Windows\System32\svchost.exe [372:2120] 000007fef21329dc Thread C:\Windows\System32\svchost.exe [372:2132] 000007fef21014a0 Thread C:\Windows\System32\svchost.exe [372:2216] 000007fef1dca2b0 Thread C:\Windows\System32\svchost.exe [372:2308] 000007fef49188f8 Thread C:\Windows\System32\svchost.exe [372:3444] 000007fef3a344e0 Thread C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [1608:1676] 000007fef93ebd94 Thread C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [1608:1680] 000007fef9363368 Thread C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [1608:1256] 000007fef9363368 Thread C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [1608:828] 000007fef23d2e60 Thread C:\Windows\system32\svchost.exe [1840:2000] 000007fef35c5fd0 Thread C:\Windows\system32\svchost.exe [1840:2004] 000007fef35c63ec ---- EOF - GMER 2.1 ----