GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-10 21:45:32 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\00000062 SAMSUNG_ rev.1AQ1 1863,02GB Running: gmer.exe; Driver: C:\Users\olila\AppData\Local\Temp\fwddrkob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000753d1401 2 bytes JMP 7558eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000753d1419 2 bytes JMP 7559b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000753d1431 2 bytes JMP 75618609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000753d144a 2 bytes CALL 75571dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000753d14dd 2 bytes JMP 75617efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000753d14f5 2 bytes JMP 756180d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000753d150d 2 bytes JMP 75617df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000753d1525 2 bytes JMP 756181c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000753d153d 2 bytes JMP 7558f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000753d1555 2 bytes JMP 7559b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000753d156d 2 bytes JMP 756186c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000753d1585 2 bytes JMP 75618222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000753d159d 2 bytes JMP 75617db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000753d15b5 2 bytes JMP 7558f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000753d15cd 2 bytes JMP 7559b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000753d16b2 2 bytes JMP 75618584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[1900] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000753d16bd 2 bytes JMP 75617d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2072] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2072] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Windows\system32\svchost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\svchost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\svchost.exe[2152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\ToolbarUpdater.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\ToolbarUpdater.exe[2184] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\ToolbarUpdater.exe[2184] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2264] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\loggingserver.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\loggingserver.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\loggingserver.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Windows\system32\conhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\conhost.exe[2336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\conhost.exe[2336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Windows\system32\taskhost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\taskhost.exe[2540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\taskhost.exe[2540] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2680] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2688] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\taskeng.exe[2888] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Windows\system32\WUDFHost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\WUDFHost.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\WUDFHost.exe[2432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Windows\system32\Dwm.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\Dwm.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\Dwm.exe[1808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\Explorer.EXE[3076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\Explorer.EXE[3076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753d1401 2 bytes JMP 7558eb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753d1419 2 bytes JMP 7559b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753d1431 2 bytes JMP 75618609 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753d144a 2 bytes CALL 75571dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753d14dd 2 bytes JMP 75617efe C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753d14f5 2 bytes JMP 756180d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753d150d 2 bytes JMP 75617df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753d1525 2 bytes JMP 756181c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753d153d 2 bytes JMP 7558f088 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753d1555 2 bytes JMP 7559b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753d156d 2 bytes JMP 756186c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753d1585 2 bytes JMP 75618222 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753d159d 2 bytes JMP 75617db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753d15b5 2 bytes JMP 7558f121 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753d15cd 2 bytes JMP 7559b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753d16b2 2 bytes JMP 75618584 C:\Windows\syswow64\kernel32.dll .text C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753d16bd 2 bytes JMP 75617d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3428] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3428] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3428] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 00000000753d1401 2 bytes JMP 7558eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 00000000753d1419 2 bytes JMP 7559b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 00000000753d1431 2 bytes JMP 75618609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 00000000753d144a 2 bytes CALL 75571dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000753d14dd 2 bytes JMP 75617efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000753d14f5 2 bytes JMP 756180d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 00000000753d150d 2 bytes JMP 75617df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 00000000753d1525 2 bytes JMP 756181c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 00000000753d153d 2 bytes JMP 7558f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 00000000753d1555 2 bytes JMP 7559b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 00000000753d156d 2 bytes JMP 756186c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 00000000753d1585 2 bytes JMP 75618222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 00000000753d159d 2 bytes JMP 75617db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000753d15b5 2 bytes JMP 7558f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000753d15cd 2 bytes JMP 7559b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000753d16b2 2 bytes JMP 75618584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3436] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000753d16bd 2 bytes JMP 75617d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000753d1401 2 bytes JMP 7558eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000753d1419 2 bytes JMP 7559b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000753d1431 2 bytes JMP 75618609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000753d144a 2 bytes CALL 75571dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000753d14dd 2 bytes JMP 75617efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000753d14f5 2 bytes JMP 756180d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000753d150d 2 bytes JMP 75617df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000753d1525 2 bytes JMP 756181c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000753d153d 2 bytes JMP 7558f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000753d1555 2 bytes JMP 7559b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000753d156d 2 bytes JMP 756186c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000753d1585 2 bytes JMP 75618222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000753d159d 2 bytes JMP 75617db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000753d15b5 2 bytes JMP 7558f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000753d15cd 2 bytes JMP 7559b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000753d16b2 2 bytes JMP 75618584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[3444] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000753d16bd 2 bytes JMP 75617d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3804] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\SearchIndexer.exe[3836] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text J:\FIXPC\FRST64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text J:\FIXPC\FRST64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text J:\FIXPC\FRST64.exe[4732] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Windows\system32\svchost.exe[4372] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077330130 5 bytes JMP 0000000077490128 .text C:\Windows\system32\svchost.exe[4372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077330250 5 bytes JMP 0000000077490018 .text C:\Windows\system32\svchost.exe[4372] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000771da600 5 bytes JMP 00000000774900a0 .text C:\Users\olila\Desktop\gmer.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000774dfbf0 5 bytes JMP 0000000172301460 .text C:\Users\olila\Desktop\gmer.exe[1508] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000774dfdb4 5 bytes JMP 0000000172301120 .text C:\Users\olila\Desktop\gmer.exe[1508] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 000000007558117b 5 bytes JMP 0000000172301260 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Library \\?\C:\Program Files (x86)\Spybot - Search & Destroy 2\av\avxdisk.dll (*** suspicious ***) @ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1900] (BitDefender Core/BitDefender)(2014-11-02 10:16:04) 00000000033f0000 Process C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe (*** suspicious ***) @ C:\Users\olila\AppData\Roaming\uTorrent\uTorrent.exe [3240] (µTorrent/BitTorrent Inc.)(2014-09-08 19:02:14) 0000000000400000 ---- Files - GMER 2.1 ---- File C:\Users\olila\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ORF45W9J\clients[1].txt 0 bytes ---- EOF - GMER 2.1 ----