GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-14 16:42:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LV01 298,09GB Running: s48v57jq.exe; Driver: C:\Users\Dana\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c41401 2 bytes JMP 7675b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c41419 2 bytes JMP 7675b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c41431 2 bytes JMP 767d8ea9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c4144a 2 bytes CALL 767348ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c414dd 2 bytes JMP 767d87a2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c414f5 2 bytes JMP 767d8978 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c4150d 2 bytes JMP 767d8698 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c41525 2 bytes JMP 767d8a62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c4153d 2 bytes JMP 7674fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c41555 2 bytes JMP 767568ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c4156d 2 bytes JMP 767d8f61 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c41585 2 bytes JMP 767d8ac2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c4159d 2 bytes JMP 767d865c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c415b5 2 bytes JMP 7674fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c415cd 2 bytes JMP 7675b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c416b2 2 bytes JMP 767d8e24 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Wondershare\Video Converter Ultimate\MediaLibServer.exe[2580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c416bd 2 bytes JMP 767d85f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077081398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007708143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077081594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007708191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077081bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077081d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077081edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077081fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000770827b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000770827d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007708282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077082898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077082d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077082d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007708323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000770833c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077083a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077083ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077083b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077084190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077084241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000770842b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000770843f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077084434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000770845d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000770846d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077084a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077084b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077084c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077084d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077084ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077084ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000770850f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000770852f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000770853f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000770855e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000770864d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007708668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007708687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000770868bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000770868d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007708692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077087166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077087dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077087e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770d1380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000770d1500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770d1530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770d1650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770d1700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770d1d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000770d1f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b2146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b21a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c41401 2 bytes JMP 7675b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c41419 2 bytes JMP 7675b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c41431 2 bytes JMP 767d8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c4144a 2 bytes CALL 767348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c414dd 2 bytes JMP 767d87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c414f5 2 bytes JMP 767d8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c4150d 2 bytes JMP 767d8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c41525 2 bytes JMP 767d8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c4153d 2 bytes JMP 7674fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c41555 2 bytes JMP 767568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c4156d 2 bytes JMP 767d8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c41585 2 bytes JMP 767d8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c4159d 2 bytes JMP 767d865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c415b5 2 bytes JMP 7674fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c415cd 2 bytes JMP 7675b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c416b2 2 bytes JMP 767d8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c416bd 2 bytes JMP 767d85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077081398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007708143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077081594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007708191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077081bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077081d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077081edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077081fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000770827b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000770827d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007708282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077082898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077082d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077082d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007708323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000770833c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077083a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077083ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077083b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077084190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077084241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000770842b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000770843f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077084434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000770845d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000770846d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077084a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077084b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077084c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077084d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077084ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077084ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000770850f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000770852f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000770853f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000770855e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000770864d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007708668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007708687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000770868bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000770868d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007708692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077087166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077087dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077087e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770d1380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000770d1500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770d1530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770d1650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770d1700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770d1d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000770d1f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b2146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[4912] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b21a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007727faa8 5 bytes JMP 0000000174822e30 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077280038 5 bytes JMP 0000000174822df0 .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077081398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007708143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077081594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007708191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077081bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077081d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077081edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077081fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000770827b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000770827d2 8 bytes {JMP 0x10} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007708282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077082898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077082d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077082d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007708323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000770833c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077083a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077083ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077083b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077084190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077084241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000770842b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000770843f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077084434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000770845d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000770846d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077084a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077084b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077084c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077084d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077084ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077084ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000770850f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000770852f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000770853f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000770855e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000770864d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007708668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007708687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000770868bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000770868d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007708692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077087166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077087dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077087e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000770d1380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000770d1500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770d1530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770d1650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000770d1700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770d1d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000770d1f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770d27e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074b213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074b2146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074b216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074b219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074b219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Dana\Desktop\usun\s48v57jq.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074b21a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880034d8ef8] \SystemRoot\system32\DRIVERS\klif.sys [unknown section] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4996:1460] 000007fefb1e2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4996:4772] 000007fee790cf60 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1244] (Windows SysTool Service/SysTool PasSame LIMITED)(2015-03-27 09:16:52) 00000000002e0000 ---- EOF - GMER 2.1 ----