GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-24 19:52:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: qormim7b.exe; Driver: C:\Users\marek_2\AppData\Local\Temp\kwddikog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f21401 2 bytes JMP 757ab21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f21419 2 bytes JMP 757ab346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f21431 2 bytes JMP 75828fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f2144a 2 bytes CALL 7578489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f214dd 2 bytes JMP 758288c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f214f5 2 bytes JMP 75828aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f2150d 2 bytes JMP 758287ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f21525 2 bytes JMP 75828b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f2153d 2 bytes JMP 7579fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f21555 2 bytes JMP 757a68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f2156d 2 bytes JMP 75829089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f21585 2 bytes JMP 75828bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f2159d 2 bytes JMP 7582877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f215b5 2 bytes JMP 7579fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f215cd 2 bytes JMP 757ab2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f216b2 2 bytes JMP 75828f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2056] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f216bd 2 bytes JMP 75828713 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\svchost.exe[3092] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 00000001771b0128 .text C:\windows\system32\svchost.exe[3092] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 00000001771b0018 .text C:\windows\system32\svchost.exe[3092] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000001771b01b0 .text C:\windows\system32\svchost.exe[3092] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000771b00a0 .text C:\windows\system32\svchost.exe[3092] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x1f2590} .text C:\windows\system32\taskeng.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\windows\system32\taskeng.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\windows\system32\taskeng.exe[3352] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\windows\system32\taskeng.exe[3352] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\windows\system32\taskeng.exe[3352] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\windows\system32\taskhost.exe[3360] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\windows\system32\taskhost.exe[3360] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\windows\system32\taskhost.exe[3360] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\windows\system32\taskhost.exe[3360] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\windows\system32\taskhost.exe[3360] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\windows\servicing\TrustedInstaller.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\windows\servicing\TrustedInstaller.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\windows\servicing\TrustedInstaller.exe[3396] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\windows\servicing\TrustedInstaller.exe[3396] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\windows\servicing\TrustedInstaller.exe[3396] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\windows\system32\Dwm.exe[3416] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\windows\system32\Dwm.exe[3416] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\windows\system32\Dwm.exe[3416] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\windows\system32\Dwm.exe[3416] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\windows\system32\Dwm.exe[3416] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\windows\Explorer.EXE[3460] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\windows\Explorer.EXE[3460] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\windows\Explorer.EXE[3460] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\windows\Explorer.EXE[3460] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\windows\Explorer.EXE[3460] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\windows\system32\taskeng.exe[3852] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\windows\system32\taskeng.exe[3852] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\windows\system32\taskeng.exe[3852] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\windows\system32\taskeng.exe[3852] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\windows\system32\taskeng.exe[3852] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3932] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3932] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3932] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3932] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\windows\system32\SearchIndexer.exe[3484] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\windows\system32\SearchIndexer.exe[3484] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\windows\system32\SearchIndexer.exe[3484] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3336] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3336] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3336] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3336] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3336] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3536] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3536] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3536] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3536] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3536] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\McAfee Security Scan\3.11.226\SSScheduler.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\Program Files\McAfee Security Scan\3.11.226\SSScheduler.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\Program Files\McAfee Security Scan\3.11.226\SSScheduler.exe[2028] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\Program Files\McAfee Security Scan\3.11.226\SSScheduler.exe[2028] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\Program Files\McAfee Security Scan\3.11.226\SSScheduler.exe[2028] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f21401 2 bytes JMP 757ab21b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f21419 2 bytes JMP 757ab346 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f21431 2 bytes JMP 75828fd1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f2144a 2 bytes CALL 7578489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f214dd 2 bytes JMP 758288c4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f214f5 2 bytes JMP 75828aa0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f2150d 2 bytes JMP 758287ba C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f21525 2 bytes JMP 75828b8a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f2153d 2 bytes JMP 7579fca8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f21555 2 bytes JMP 757a68ef C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f2156d 2 bytes JMP 75829089 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f21585 2 bytes JMP 75828bea C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f2159d 2 bytes JMP 7582877e C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f215b5 2 bytes JMP 7579fd41 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f215cd 2 bytes JMP 757ab2dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f216b2 2 bytes JMP 75828f4c C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f216bd 2 bytes JMP 75828713 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1472] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1472] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1472] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[1472] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f21401 2 bytes JMP 757ab21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f21419 2 bytes JMP 757ab346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f21431 2 bytes JMP 75828fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f2144a 2 bytes CALL 7578489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f214dd 2 bytes JMP 758288c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f214f5 2 bytes JMP 75828aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f2150d 2 bytes JMP 758287ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f21525 2 bytes JMP 75828b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f2153d 2 bytes JMP 7579fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f21555 2 bytes JMP 757a68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f2156d 2 bytes JMP 75829089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f21585 2 bytes JMP 75828bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f2159d 2 bytes JMP 7582877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f215b5 2 bytes JMP 7579fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f215cd 2 bytes JMP 757ab2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f216b2 2 bytes JMP 75828f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[1500] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f216bd 2 bytes JMP 75828713 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\ctfmon.exe[2064] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\windows\SysWOW64\ctfmon.exe[2064] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\windows\SysWOW64\ctfmon.exe[2064] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\windows\SysWOW64\ctfmon.exe[2064] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\windows\system32\svchost.exe[4012] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 00000001771b0128 .text C:\windows\system32\svchost.exe[4012] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 00000001771b0018 .text C:\windows\system32\svchost.exe[4012] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000001771b01b0 .text C:\windows\system32\svchost.exe[4012] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000771b00a0 .text C:\windows\system32\svchost.exe[4012] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x1f2590} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2892] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2892] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2892] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2892] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1608] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1608] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1608] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1608] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\windows\system32\svchost.exe[4104] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 00000001771b0128 .text C:\windows\system32\svchost.exe[4104] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 00000001771b0018 .text C:\windows\system32\svchost.exe[4104] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000001771b01b0 .text C:\windows\system32\svchost.exe[4104] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000771b00a0 .text C:\windows\system32\svchost.exe[4104] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x1f2590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4664] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4664] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4664] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4664] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4664] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 0000000077370128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 0000000077370018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4740] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000000773701b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4740] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000773700a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[4740] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x3b2590} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773bfc90 5 bytes JMP 00000001742e19d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773bfe54 5 bytes JMP 00000001742e15f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 00000000773c00a8 5 bytes JMP 00000001742e1bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075793bab 5 bytes JMP 00000001742e1760 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f21401 2 bytes JMP 757ab21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f21419 2 bytes JMP 757ab346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f21431 2 bytes JMP 75828fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f2144a 2 bytes CALL 7578489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f214dd 2 bytes JMP 758288c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f214f5 2 bytes JMP 75828aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f2150d 2 bytes JMP 758287ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f21525 2 bytes JMP 75828b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f2153d 2 bytes JMP 7579fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f21555 2 bytes JMP 757a68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f2156d 2 bytes JMP 75829089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f21585 2 bytes JMP 75828bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f2159d 2 bytes JMP 7582877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f215b5 2 bytes JMP 7579fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f215cd 2 bytes JMP 757ab2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f216b2 2 bytes JMP 75828f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5112] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f216bd 2 bytes JMP 75828713 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\svchost.exe[168] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007720dc30 5 bytes JMP 00000001771b0128 .text C:\windows\system32\svchost.exe[168] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007720dd50 5 bytes JMP 00000001771b0018 .text C:\windows\system32\svchost.exe[168] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007720ded0 5 bytes JMP 00000001771b01b0 .text C:\windows\system32\svchost.exe[168] C:\windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 1 byte JMP 00000000771b00a0 .text C:\windows\system32\svchost.exe[168] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 0000000076fbdb12 3 bytes {JMP 0x1f2590} ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002454f1e1f6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de6fc1a4 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fee44c72 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971072320 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002454f1e1f6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de6fc1a4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fee44c72 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971072320 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----