GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-06 13:37:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0002SDM1 465,76GB Running: lbnm6zn4.exe; Driver: C:\Users\Pawel\AppData\Local\Temp\pgldqfow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000001772900a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000177290018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000001772901b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000177290128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000177290238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000001772902c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[1732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000177290348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000001772900a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000177290018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000001772901b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000177290128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000177290238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000001772902c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000177290348 .text C:\Users\Pawel\Desktop\oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000000775700a0 .text C:\Users\Pawel\Desktop\oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000077570018 .text C:\Users\Pawel\Desktop\oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000000775701b0 .text C:\Users\Pawel\Desktop\oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000077570128 .text C:\Users\Pawel\Desktop\oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000077570238 .text C:\Users\Pawel\Desktop\oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000000775702c0 .text C:\Users\Pawel\Desktop\oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000077570348 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000001772900a0 .text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000177290018 .text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000001772901b0 .text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000177290128 .text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000177290238 .text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000001772902c0 .text C:\Windows\system32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000177290348 .text C:\Windows\system32\wbem\wmiprvse.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000000775700a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000077570018 .text C:\Windows\system32\wbem\wmiprvse.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000000775701b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000077570128 .text C:\Windows\system32\wbem\wmiprvse.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000077570238 .text C:\Windows\system32\wbem\wmiprvse.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000000775702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000077570348 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[3740] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[3788] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000000775700a0 .text C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000077570018 .text C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000000775701b0 .text C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000077570128 .text C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000077570238 .text C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000000775702c0 .text C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000077570348 .text C:\Windows\system32\svchost.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000001772900a0 .text C:\Windows\system32\svchost.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000177290018 .text C:\Windows\system32\svchost.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000001772901b0 .text C:\Windows\system32\svchost.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000177290128 .text C:\Windows\system32\svchost.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000177290238 .text C:\Windows\system32\svchost.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000001772902c0 .text C:\Windows\system32\svchost.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000177290348 .text C:\Program Files\Elantech\ETDCtrl.exe[4132] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000000775700a0 .text C:\Program Files\Elantech\ETDCtrl.exe[4132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000077570018 .text C:\Program Files\Elantech\ETDCtrl.exe[4132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000000775701b0 .text C:\Program Files\Elantech\ETDCtrl.exe[4132] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000077570128 .text C:\Program Files\Elantech\ETDCtrl.exe[4132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000077570238 .text C:\Program Files\Elantech\ETDCtrl.exe[4132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000000775702c0 .text C:\Program Files\Elantech\ETDCtrl.exe[4132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000077570348 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000000775700a0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000077570018 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000000775701b0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000077570128 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000077570238 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000000775702c0 .text C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000077570348 .text C:\Windows\system32\svchost.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000001772900a0 .text C:\Windows\system32\svchost.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000177290018 .text C:\Windows\system32\svchost.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000001772901b0 .text C:\Windows\system32\svchost.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000177290128 .text C:\Windows\system32\svchost.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000177290238 .text C:\Windows\system32\svchost.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000001772902c0 .text C:\Windows\system32\svchost.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000177290348 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[4388] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4396] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[4440] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cf1401 2 bytes JMP 7608b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cf1419 2 bytes JMP 7608b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cf1431 2 bytes JMP 76108fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cf144a 2 bytes CALL 7606489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cf14dd 2 bytes JMP 761088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cf14f5 2 bytes JMP 76108aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cf150d 2 bytes JMP 761087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cf1525 2 bytes JMP 76108b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cf153d 2 bytes JMP 7607fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cf1555 2 bytes JMP 760868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cf156d 2 bytes JMP 76109089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cf1585 2 bytes JMP 76108bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cf159d 2 bytes JMP 7610877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cf15b5 2 bytes JMP 7607fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cf15cd 2 bytes JMP 7608b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cf16b2 2 bytes JMP 76108f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cf16bd 2 bytes JMP 76108713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cf1401 2 bytes JMP 7608b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cf1419 2 bytes JMP 7608b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cf1431 2 bytes JMP 76108fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cf144a 2 bytes CALL 7606489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cf14dd 2 bytes JMP 761088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cf14f5 2 bytes JMP 76108aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cf150d 2 bytes JMP 761087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cf1525 2 bytes JMP 76108b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cf153d 2 bytes JMP 7607fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cf1555 2 bytes JMP 760868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cf156d 2 bytes JMP 76109089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cf1585 2 bytes JMP 76108bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cf159d 2 bytes JMP 7610877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cf15b5 2 bytes JMP 7607fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cf15cd 2 bytes JMP 7608b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cf16b2 2 bytes JMP 76108f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cf16bd 2 bytes JMP 76108713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000001772900a0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000177290018 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000001772901b0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000177290128 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000177290238 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000001772902c0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000177290348 .text C:\Windows\SysWOW64\ctfmon.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000775bfc90 5 bytes JMP 0000000171271ab0 .text C:\Windows\SysWOW64\ctfmon.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000775bfe54 5 bytes JMP 0000000171271940 .text C:\Windows\SysWOW64\ctfmon.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000775bffb4 5 bytes JMP 0000000171271d50 .text C:\Windows\SysWOW64\ctfmon.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000775c00a8 5 bytes JMP 0000000171271c80 .text C:\Windows\SysWOW64\ctfmon.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000775c07dc 5 bytes JMP 0000000171271d70 .text C:\Windows\SysWOW64\ctfmon.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000775c08b4 5 bytes JMP 0000000171271d90 .text C:\Windows\SysWOW64\ctfmon.exe[4836] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000775c095c 5 bytes JMP 0000000171271db0 .text C:\Windows\system32\notepad.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007740dc30 5 bytes JMP 00000000775700a0 .text C:\Windows\system32\notepad.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007740dd50 5 bytes JMP 0000000077570018 .text C:\Windows\system32\notepad.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007740de30 5 bytes JMP 00000000775701b0 .text C:\Windows\system32\notepad.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007740ded0 5 bytes JMP 0000000077570128 .text C:\Windows\system32\notepad.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007740e380 5 bytes JMP 0000000077570238 .text C:\Windows\system32\notepad.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007740e410 5 bytes JMP 00000000775702c0 .text C:\Windows\system32\notepad.exe[4048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007740e480 5 bytes JMP 0000000077570348 ---- Processes - GMER 2.1 ---- Library C:\Users\Pawel\AppData\Local\ForedateMountebanks\EmulsifiersBiggish.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [3052](2015-12-03 21:00:42) 0000000010000000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3396] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3396](2014-08-18 16:39:04) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3396](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3396](2014-08-18 16:39:04) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3396](2014-08-18 16:39:04) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3396](201 000000006ed40000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d3babd Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d3babd@444e1a1bfc9f 0x5F 0x53 0x1C 0xF9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d3babd (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d3babd@444e1a1bfc9f 0x5F 0x53 0x1C 0xF9 ... ---- EOF - GMER 2.1 ----