GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-01 19:14:01 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-1 WDC_WD5000BEVT-22ZAT0 rev.01.01A01 465.76GB Running: egcyk39g.exe; Driver: C:\Users\jola\AppData\Local\Temp\kwliypow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Windows\system32\DRIVERS\o2flash.exe[2736] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\svchost.exe[2812] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\svchost.exe[2252] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe[2264] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\ToolbarUpdater.exe[2692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\System32\svchost.exe[1444] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.2.6\loggingserver.exe[1744] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\SearchIndexer.exe[3088] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\RUNDLL32.EXE[3136] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe[3784] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe[3948] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4080] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[2912] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Program Files (x86)\TeamViewer\tv_x64.exe[3672] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3816] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Windows\SysWOW64\ctfmon.exe[1188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\svchost.exe[3608] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3572] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\wbem\unsecapp.exe[4992] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\wbem\wmiprvse.exe[5028] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Program Files (x86)\AVG\Av\avgrsa.exe[528] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Windows\SysWOW64\explorer.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtMapViewOfSection 00000000770b6b10 1 byte JMP 00000001770600a0 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtMapViewOfSection + 2 00000000770b6b12 3 bytes {JMP 0xfffffffffffa9590} .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtWriteVirtualMemory 00000000770b6c30 5 bytes JMP 0000000177060018 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtOpenEvent 00000000770b6c90 5 bytes JMP 00000001770603d0 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtCreateEvent 00000000770b6d10 5 bytes JMP 00000001770601b0 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtResumeThread 00000000770b6db0 5 bytes JMP 0000000177060128 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtCreateMutant 00000000770b7270 5 bytes JMP 0000000177060238 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtCreateSemaphore 00000000770b72f0 5 bytes JMP 00000001770602c0 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtCreateUserProcess 00000000770b7360 5 bytes JMP 0000000177060348 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtOpenMutant 00000000770b77c0 5 bytes JMP 0000000177060458 .text C:\Windows\system32\taskeng.exe[4404] C:\Windows\system32\ntdll.dll!NtOpenSemaphore 00000000770b7810 5 bytes JMP 00000001770604e0 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772797b8 5 bytes JMP 00000001728823e0 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077279968 5 bytes JMP 0000000172882270 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772799f8 5 bytes JMP 00000001728826a0 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077279ab8 5 bytes JMP 0000000172882680 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077279ba8 5 bytes JMP 00000001728825a0 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007727a2c8 5 bytes JMP 00000001728826c0 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 000000007727a388 5 bytes JMP 0000000172882700 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007727a430 5 bytes JMP 0000000172882740 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 000000007727aab8 5 bytes JMP 00000001728826e0 .text C:\Users\jola\Downloads\Programs\egcyk39g.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 000000007727ab30 5 bytes JMP 0000000172882720 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1952] (GG drive overlay/GG Network S.A.)(2015-11-18 21:16:21) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{51B84F93-2544-7BA7-3F76-14372D604DAE} ---- EOF - GMER 2.1 ----