GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-22 21:51:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 TOSHIBA_ rev.FG02 298,09GB Running: miol0omj.exe; Driver: C:\Users\DSKOWR~1\AppData\Local\Temp\fglciaow.sys ---- User code sections - GMER 2.2 ---- .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\taskhost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000778ffae8 5 bytes JMP 00000000735930e0 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000778ffc60 5 bytes JMP 0000000073592360 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000778ffe24 5 bytes JMP 00000000735921f0 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000778ffeb8 5 bytes JMP 00000000735927a0 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778fff84 5 bytes JMP 0000000073592650 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077900078 5 bytes JMP 0000000073592520 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779007ac 5 bytes JMP 00000000735928e0 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077900884 5 bytes JMP 0000000073592b70 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007790092c 5 bytes JMP 0000000073592e00 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077901088 5 bytes JMP 0000000073592a30 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077901100 5 bytes JMP 0000000073592cc0 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007791911f 5 bytes JMP 0000000073592f80 .text C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe[3180] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007799ff31 5 bytes JMP 0000000073592e90 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4284] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe[4592] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\windows\system32\SearchIndexer.exe[4632] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000778ffae8 5 bytes JMP 00000000735930e0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000778ffc60 5 bytes JMP 0000000073592360 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000778ffe24 5 bytes JMP 00000000735921f0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000778ffeb8 5 bytes JMP 00000000735927a0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778fff84 5 bytes JMP 0000000073592650 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077900078 5 bytes JMP 0000000073592520 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779007ac 5 bytes JMP 00000000735928e0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077900884 5 bytes JMP 0000000073592b70 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007790092c 5 bytes JMP 0000000073592e00 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077901088 5 bytes JMP 0000000073592a30 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077901100 5 bytes JMP 0000000073592cc0 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007791911f 5 bytes JMP 0000000073592f80 .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[4744] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007799ff31 5 bytes JMP 0000000073592e90 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000778ffae8 5 bytes JMP 00000000735930e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000778ffc60 5 bytes JMP 0000000073592360 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000778ffe24 5 bytes JMP 00000000735921f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000778ffeb8 5 bytes JMP 00000000735927a0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778fff84 5 bytes JMP 0000000073592650 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077900078 5 bytes JMP 0000000073592520 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779007ac 5 bytes JMP 00000000735928e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077900884 5 bytes JMP 0000000073592b70 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007790092c 5 bytes JMP 0000000073592e00 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077901088 5 bytes JMP 0000000073592a30 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077901100 5 bytes JMP 0000000073592cc0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007791911f 5 bytes JMP 0000000073592f80 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4872] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007799ff31 5 bytes JMP 0000000073592e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000778ffae8 5 bytes JMP 00000000735930e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000778ffc60 5 bytes JMP 0000000073592360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000778ffe24 5 bytes JMP 00000000735921f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000778ffeb8 5 bytes JMP 00000000735927a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778fff84 5 bytes JMP 0000000073592650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077900078 5 bytes JMP 0000000073592520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779007ac 5 bytes JMP 00000000735928e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077900884 5 bytes JMP 0000000073592b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007790092c 5 bytes JMP 0000000073592e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077901088 5 bytes JMP 0000000073592a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077901100 5 bytes JMP 0000000073592cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007791911f 5 bytes JMP 0000000073592f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[4928] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007799ff31 5 bytes JMP 0000000073592e90 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[5172] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000778ffae8 5 bytes JMP 00000000735930e0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000778ffc60 5 bytes JMP 0000000073592360 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000778ffe24 5 bytes JMP 00000000735921f0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000778ffeb8 5 bytes JMP 00000000735927a0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778fff84 5 bytes JMP 0000000073592650 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077900078 5 bytes JMP 0000000073592520 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779007ac 5 bytes JMP 00000000735928e0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077900884 5 bytes JMP 0000000073592b70 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007790092c 5 bytes JMP 0000000073592e00 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077901088 5 bytes JMP 0000000073592a30 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077901100 5 bytes JMP 0000000073592cc0 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007791911f 5 bytes JMP 0000000073592f80 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6336] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007799ff31 5 bytes JMP 0000000073592e90 ? C:\windows\system32\mssprxy.dll [6336] entry point in ".rdata" section 000000006ff471e6 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\windows\explorer.exe[5888] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4244] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[712] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000777240c0 5 bytes JMP 00000000000205f0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007774bcc0 5 bytes JMP 0000000000020678 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007774bdb0 5 bytes JMP 00000000000200a0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007774bed0 5 bytes JMP 0000000000020018 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007774bf30 5 bytes JMP 00000000000203d0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007774bfb0 5 bytes JMP 00000000000201b0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007774c050 5 bytes JMP 0000000000020128 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007774c500 5 bytes JMP 0000000000020238 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007774c590 5 bytes JMP 00000000000202c0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007774c600 5 bytes JMP 0000000000020348 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007774cac0 5 bytes JMP 0000000000020458 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007774cb10 5 bytes JMP 00000000000204e0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4452] C:\windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000777a2530 5 bytes JMP 0000000000020568 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000778ffae8 5 bytes JMP 00000000735930e0 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000778ffc60 5 bytes JMP 0000000073592360 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000778ffe24 5 bytes JMP 00000000735921f0 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000778ffeb8 5 bytes JMP 00000000735927a0 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000778fff84 5 bytes JMP 0000000073592650 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077900078 5 bytes JMP 0000000073592520 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779007ac 5 bytes JMP 00000000735928e0 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077900884 5 bytes JMP 0000000073592b70 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007790092c 5 bytes JMP 0000000073592e00 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077901088 5 bytes JMP 0000000073592a30 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077901100 5 bytes JMP 0000000073592cc0 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 000000007791911f 5 bytes JMP 0000000073592f80 .text C:\Users\DSkowronska\Downloads\miol0omj.exe[6700] C:\windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007799ff31 5 bytes JMP 0000000073592e90 ---- Threads - GMER 2.2 ---- Thread C:\windows\system32\CompatTelRunner.exe [6804:6372] 000007feec3776f0 Thread C:\windows\system32\CompatTelRunner.exe [6804:6292] 000007feec3776f0 ---- Files - GMER 2.2 ---- File C:\Users\DSkowronska\AppData\Local\Google\Chrome\User Data\Default\Session Storage\013194.ldb 0 bytes File C:\Users\DSkowronska\AppData\Local\Google\Chrome\User Data\Default\Session Storage\013197.ldb 0 bytes File C:\Users\DSkowronska\AppData\Local\Google\Chrome\User Data\Default\Session Storage\013200.ldb 0 bytes File C:\Users\DSkowronska\AppData\Local\Google\Chrome\User Data\Default\Session Storage\013203.ldb 0 bytes ---- EOF - GMER 2.2 ----