GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-09 16:38:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005d TOSHIBA_ rev.MS1O 465,76GB Running: 9hpwl7op.exe; Driver: C:\Users\admin\AppData\Local\Temp\ufldypob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075fc1401 2 bytes JMP 765eb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075fc1419 2 bytes JMP 765eb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075fc1431 2 bytes JMP 76668f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075fc144a 2 bytes CALL 765c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075fc14dd 2 bytes JMP 76668832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075fc14f5 2 bytes JMP 76668a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075fc150d 2 bytes JMP 76668728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075fc1525 2 bytes JMP 76668af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075fc153d 2 bytes JMP 765dfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075fc1555 2 bytes JMP 765e68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075fc156d 2 bytes JMP 76668ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075fc1585 2 bytes JMP 76668b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075fc159d 2 bytes JMP 766686ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075fc15b5 2 bytes JMP 765dfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075fc15cd 2 bytes JMP 765eb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075fc16b2 2 bytes JMP 76668eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2464] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075fc16bd 2 bytes JMP 76668681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\taskhost.exe[3152] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000176d80128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000176d80018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000176d801b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000176d80238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000176d802c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076d800a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x1f2590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3212] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Windows\system32\Dwm.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\Dwm.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\Dwm.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\Dwm.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\Dwm.exe[3224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\Dwm.exe[3224] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\Explorer.EXE[3388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Windows\Explorer.EXE[3388] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\igfxHK.exe[3500] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\igfxTray.exe[3508] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\igfxEM.exe[3568] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3728] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[3744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[3744] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Windows\system32\SearchIndexer.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\SearchIndexer.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\SearchIndexer.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\SearchIndexer.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\SearchIndexer.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\SearchIndexer.exe[3924] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Windows\system32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000176d80128 .text C:\Windows\system32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000176d80018 .text C:\Windows\system32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000176d801b0 .text C:\Windows\system32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000176d80238 .text C:\Windows\system32\svchost.exe[4084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000176d802c0 .text C:\Windows\system32\svchost.exe[4084] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076d800a0 .text C:\Windows\system32\svchost.exe[4084] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x1f2590} .text C:\Windows\system32\svchost.exe[4084] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2732] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1128] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1128] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1128] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1128] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1128] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1128] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075fc1401 2 bytes JMP 765eb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075fc1419 2 bytes JMP 765eb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075fc1431 2 bytes JMP 76668f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075fc144a 2 bytes CALL 765c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075fc14dd 2 bytes JMP 76668832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075fc14f5 2 bytes JMP 76668a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075fc150d 2 bytes JMP 76668728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075fc1525 2 bytes JMP 76668af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075fc153d 2 bytes JMP 765dfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075fc1555 2 bytes JMP 765e68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075fc156d 2 bytes JMP 76668ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075fc1585 2 bytes JMP 76668b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075fc159d 2 bytes JMP 766686ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075fc15b5 2 bytes JMP 765dfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075fc15cd 2 bytes JMP 765eb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075fc16b2 2 bytes JMP 76668eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075fc16bd 2 bytes JMP 76668681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3316] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3316] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Windows\SysWOW64\ctfmon.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Windows\SysWOW64\ctfmon.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Windows\SysWOW64\ctfmon.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Windows\SysWOW64\ctfmon.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Windows\SysWOW64\ctfmon.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Windows\SysWOW64\ctfmon.exe[3540] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Windows\SysWOW64\ctfmon.exe[3540] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4224] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4224] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5068] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5068] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[464] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[464] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[464] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\wbem\wmiprvse.exe[2940] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1260] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f8fc90 5 bytes JMP 0000000171391c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1260] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f8fe54 5 bytes JMP 0000000171391820 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1260] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000076f8ffb4 5 bytes JMP 0000000171391ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1260] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000076f907dc 5 bytes JMP 0000000171391ee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1260] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000076f908b4 5 bytes JMP 0000000171391f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1260] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000765d3b93 5 bytes JMP 0000000171391990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1260] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076713b49 5 bytes JMP 0000000171391de0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dddc30 5 bytes JMP 0000000076f40128 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dddd50 5 bytes JMP 0000000076f40018 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ddde30 5 bytes JMP 0000000076f401b0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dde380 5 bytes JMP 0000000076f40238 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dde410 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b8db10 1 byte JMP 0000000076f400a0 .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076b8db12 3 bytes {JMP 0x3b2590} .text C:\Windows\system32\taskhost.exe[3288] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefbb86590 5 bytes JMP 000007fff5131f50 ---- EOF - GMER 2.1 ----