GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-13 11:08:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Samsung_ rev.EXT0 232,89GB Running: bw2npy3m.exe; Driver: C:\Users\TEMPMA~1.002\AppData\Local\Temp\kwddikog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 74d1b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 74d1b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 74d98fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 74cf489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 74d988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 74d98aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 74d987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 74d98b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 74d0fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 74d168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 74d99089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 74d98bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 74d9877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 74d0fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 74d1b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 74d98f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[2200] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 74d98713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\system32\conhost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\system32\conhost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\system32\conhost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\system32\conhost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\system32\conhost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\system32\conhost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\system32\conhost.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 0000000176f600a0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000176f60018 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 0000000176f601b0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000176f60128 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000176f60238 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 0000000176f602c0 .text C:\Windows\system32\svchost.exe[3132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000176f60348 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Windows\system32\SearchIndexer.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\system32\SearchIndexer.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\system32\SearchIndexer.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\system32\SearchIndexer.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\system32\SearchIndexer.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\system32\SearchIndexer.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\system32\SearchIndexer.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\system32\taskhost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\system32\taskhost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\system32\taskhost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\system32\taskhost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\system32\taskhost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\system32\taskhost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\system32\taskhost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\system32\conhost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\system32\conhost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\system32\conhost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\system32\conhost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\system32\conhost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\system32\conhost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\system32\conhost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\system32\Dwm.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\system32\Dwm.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\system32\Dwm.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\system32\Dwm.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\system32\Dwm.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\system32\Dwm.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\system32\Dwm.exe[4196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\Explorer.EXE[4272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\Explorer.EXE[4272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\Explorer.EXE[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\Explorer.EXE[4272] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\Explorer.EXE[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\Explorer.EXE[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\Explorer.EXE[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\system32\taskeng.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\system32\taskeng.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\system32\taskeng.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\system32\taskeng.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\system32\taskeng.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\system32\taskeng.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\system32\taskeng.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[4472] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\ProgramData\DatacardService\DCSHelper.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\ProgramData\DatacardService\DCSHelper.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\ProgramData\DatacardService\DCSHelper.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\ProgramData\DatacardService\DCSHelper.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\ProgramData\DatacardService\DCSHelper.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\ProgramData\DatacardService\DCSHelper.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\ProgramData\DatacardService\DCSHelper.exe[4544] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Windows\system32\wbem\wmiprvse.exe[4852] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\system32\wbem\wmiprvse.exe[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4852] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\system32\wbem\wmiprvse.exe[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\system32\wbem\wmiprvse.exe[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000765f2ab1 5 bytes JMP 000000010040f4f2 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4780] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 74d1b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 74d1b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 74d98fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 74cf489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 74d988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 74d98aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 74d987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 74d98b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 74d0fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 74d168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 74d99089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 74d98bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 74d9877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 74d0fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 74d1b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 74d98f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 74d98713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 74d1b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 74d1b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 74d98fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 74cf489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 74d988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 74d98aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 74d987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 74d98b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 74d0fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 74d168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 74d99089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 74d98bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 74d9877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 74d0fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 74d1b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 74d98f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 74d98713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076bf1401 2 bytes JMP 74d1b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076bf1419 2 bytes JMP 74d1b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076bf1431 2 bytes JMP 74d98fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076bf144a 2 bytes CALL 74cf489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076bf14dd 2 bytes JMP 74d988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076bf14f5 2 bytes JMP 74d98aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076bf150d 2 bytes JMP 74d987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076bf1525 2 bytes JMP 74d98b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076bf153d 2 bytes JMP 74d0fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076bf1555 2 bytes JMP 74d168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076bf156d 2 bytes JMP 74d99089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076bf1585 2 bytes JMP 74d98bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076bf159d 2 bytes JMP 74d9877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076bf15b5 2 bytes JMP 74d0fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076bf15cd 2 bytes JMP 74d1b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076bf16b2 2 bytes JMP 74d98f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[6084] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076bf16bd 2 bytes JMP 74d98713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ctfmon.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Windows\SysWOW64\ctfmon.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Windows\SysWOW64\ctfmon.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Windows\SysWOW64\ctfmon.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Windows\SysWOW64\ctfmon.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Windows\SysWOW64\ctfmon.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Windows\SysWOW64\ctfmon.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Windows\servicing\TrustedInstaller.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Windows\servicing\TrustedInstaller.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Windows\servicing\TrustedInstaller.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Windows\servicing\TrustedInstaller.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Windows\servicing\TrustedInstaller.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Windows\servicing\TrustedInstaller.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Windows\servicing\TrustedInstaller.exe[4992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Windows\System32\svchost.exe[6288] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 0000000176f600a0 .text C:\Windows\System32\svchost.exe[6288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000176f60018 .text C:\Windows\System32\svchost.exe[6288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 0000000176f601b0 .text C:\Windows\System32\svchost.exe[6288] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000176f60128 .text C:\Windows\System32\svchost.exe[6288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000176f60238 .text C:\Windows\System32\svchost.exe[6288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 0000000176f602c0 .text C:\Windows\System32\svchost.exe[6288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000176f60348 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 00000000772400a0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000077240018 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 00000000772401b0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000077240128 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000077240238 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 00000000772402c0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000077240348 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007728fc90 5 bytes JMP 0000000170aa1ab0 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007728fe54 5 bytes JMP 0000000170aa1940 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007728ffb4 5 bytes JMP 0000000170aa1d50 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772900a8 5 bytes JMP 0000000170aa1c80 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772907dc 5 bytes JMP 0000000170aa1d70 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772908b4 5 bytes JMP 0000000170aa1d90 .text C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007729095c 5 bytes JMP 0000000170aa1db0 .text C:\Windows\system32\svchost.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000770ddc30 5 bytes JMP 0000000176f600a0 .text C:\Windows\system32\svchost.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770ddd50 5 bytes JMP 0000000176f60018 .text C:\Windows\system32\svchost.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770dde30 5 bytes JMP 0000000176f601b0 .text C:\Windows\system32\svchost.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000770dded0 5 bytes JMP 0000000176f60128 .text C:\Windows\system32\svchost.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770de380 5 bytes JMP 0000000176f60238 .text C:\Windows\system32\svchost.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770de410 5 bytes JMP 0000000176f602c0 .text C:\Windows\system32\svchost.exe[5576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000770de480 5 bytes JMP 0000000176f60348 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\NETIA\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\NETIA\OnlineUpdate\ouc.exe [2180](2014-11-20 20:04:07) 000000006fbc0000 Library C:\ProgramData\NETIA\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\NETIA\OnlineUpdate\ouc.exe [2180](2014-11-20 000000006e940000 Library C:\ProgramData\NETIA\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\NETIA\OnlineUpdate\ouc.exe [2180](2014-11-20 20:04:07) 000000006a1c0000 Library C:\ProgramData\NETIA\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\NETIA\OnlineUpdate\ouc.exe [2180](2014-11-20 20:04:07 000000006ff00000 Library C:\ProgramData\NETIA\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\NETIA\OnlineUpdate\ouc.exe [2180](2014-11-20 20 000000006efc0000 Library C:\ProgramData\NETIA\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\NETIA\OnlineUpdate\ouc.exe [2180](2014-11-20 20:04:07) 000000006ed40000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe6747ef Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe6747ef@fca13ec3a7f9 0x9C 0x1C 0x7F 0x4B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe6747ef (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe6747ef@fca13ec3a7f9 0x9C 0x1C 0x7F 0x4B ... ---- EOF - GMER 2.1 ----