GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-23 12:30:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.17.0 232,89GB Running: tsp9vq0s.exe; Driver: C:\Users\Leszek\AppData\Local\Temp\kwrdapob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007777fac8 5 bytes JMP 000000006c2b30e0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007777fc40 5 bytes JMP 000000006c2b2360 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007777fe04 5 bytes JMP 000000006c2b21f0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007777fe98 5 bytes JMP 000000006c2b27a0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007777ff64 5 bytes JMP 000000006c2b2650 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077780058 5 bytes JMP 000000006c2b2520 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007778078c 5 bytes JMP 000000006c2b28e0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077780864 5 bytes JMP 000000006c2b2b70 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007778090c 5 bytes JMP 000000006c2b2e00 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077781068 5 bytes JMP 000000006c2b2a30 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000777810e0 5 bytes JMP 000000006c2b2cc0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000777996ef 5 bytes JMP 000000006c2b2f80 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007781fded 5 bytes JMP 000000006c2b2e90 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 00000000756e34f1 4 bytes {CALL 0xffffffff8b888e80} .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077731465 2 bytes [73, 77] .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777314bb 2 bytes [73, 77] .text ... * 2 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000775a5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000775d14a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000775d1590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775d1830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000775d1de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000776275b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000775a5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000775d14a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000775d1590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775d1830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000775d1de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000776275b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007777fac8 5 bytes JMP 000000006c2b30e0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007777fc40 5 bytes JMP 000000006c2b2360 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007777fe04 5 bytes JMP 000000006c2b21f0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007777fe98 5 bytes JMP 000000006c2b27a0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007777ff64 5 bytes JMP 000000006c2b2650 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077780058 5 bytes JMP 000000006c2b2520 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007778078c 5 bytes JMP 000000006c2b28e0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077780864 5 bytes JMP 000000006c2b2b70 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007778090c 5 bytes JMP 000000006c2b2e00 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077781068 5 bytes JMP 000000006c2b2a30 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000777810e0 5 bytes JMP 000000006c2b2cc0 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000777996ef 5 bytes JMP 000000006c2b2f80 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007781fded 5 bytes JMP 000000006c2b2e90 .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 00000000756e34f1 4 bytes {CALL 0xffffffff8b888e80} .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077731465 2 bytes [73, 77] .text C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777314bb 2 bytes [73, 77] .text ... * 2 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000775a5b30 5 bytes JMP 00000000000205f0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000775d14a0 5 bytes JMP 0000000000020678 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000775d1590 5 bytes JMP 00000000000200a0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 0000000000020018 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000000203d0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000000201b0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775d1830 5 bytes JMP 0000000000020128 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000000020238 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000000202c0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000775d1de0 5 bytes JMP 0000000000020348 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 0000000000020458 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000000204e0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000776275b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007777fac8 5 bytes JMP 000000006c2b30e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007777fc40 5 bytes JMP 000000006c2b2360 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007777fe04 5 bytes JMP 000000006c2b21f0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007777fe98 5 bytes JMP 000000006c2b27a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007777ff64 5 bytes JMP 000000006c2b2650 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077780058 5 bytes JMP 000000006c2b2520 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007778078c 5 bytes JMP 000000006c2b28e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077780864 5 bytes JMP 000000006c2b2b70 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007778090c 5 bytes JMP 000000006c2b2e00 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077781068 5 bytes JMP 000000006c2b2a30 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000777810e0 5 bytes JMP 000000006c2b2cc0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000777996ef 5 bytes JMP 000000006c2b2f80 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007781fded 5 bytes JMP 000000006c2b2e90 .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077731465 2 bytes [73, 77] .text C:\Program Files (x86)\Winstep\Nexus.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777314bb 2 bytes [73, 77] .text ... * 2 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007777fac8 5 bytes JMP 000000006c2b30e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007777fc40 5 bytes JMP 000000006c2b2360 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007777fe04 5 bytes JMP 000000006c2b21f0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007777fe98 5 bytes JMP 000000006c2b27a0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007777ff64 5 bytes JMP 000000006c2b2650 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077780058 5 bytes JMP 000000006c2b2520 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007778078c 5 bytes JMP 000000006c2b28e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077780864 5 bytes JMP 000000006c2b2b70 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007778090c 5 bytes JMP 000000006c2b2e00 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077781068 5 bytes JMP 000000006c2b2a30 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000777810e0 5 bytes JMP 000000006c2b2cc0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000777996ef 5 bytes JMP 000000006c2b2f80 .text C:\Program Files (x86)\Adguard\Adguard.exe[1768] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007781fded 5 bytes JMP 000000006c2b2e90 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007777fac8 5 bytes JMP 000000006c2b30e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007777fc40 5 bytes JMP 000000006c2b2360 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007777fe04 5 bytes JMP 000000006c2b21f0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007777fe98 5 bytes JMP 000000006c2b27a0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007777ff64 5 bytes JMP 000000006c2b2650 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077780058 5 bytes JMP 000000006c2b2520 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007778078c 5 bytes JMP 000000006c2b28e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077780864 5 bytes JMP 000000006c2b2b70 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007778090c 5 bytes JMP 000000006c2b2e00 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077781068 5 bytes JMP 000000006c2b2a30 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000777810e0 5 bytes JMP 000000006c2b2cc0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000777996ef 5 bytes JMP 000000006c2b2f80 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007781fded 5 bytes JMP 000000006c2b2e90 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077731465 2 bytes [73, 77] .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777314bb 2 bytes [73, 77] .text ... * 2 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000775a5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000775d14a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000775d1590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775d1830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000775d1de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000776275b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007777fac8 5 bytes JMP 000000006c2b30e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007777fc40 5 bytes JMP 000000006c2b2360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007777fe04 5 bytes JMP 000000006c2b21f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007777fe98 5 bytes JMP 000000006c2b27a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007777ff64 5 bytes JMP 000000006c2b2650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077780058 5 bytes JMP 000000006c2b2520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007778078c 5 bytes JMP 000000006c2b28e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077780864 5 bytes JMP 000000006c2b2b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007778090c 5 bytes JMP 000000006c2b2e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077781068 5 bytes JMP 000000006c2b2a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000777810e0 5 bytes JMP 000000006c2b2cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000777996ef 5 bytes JMP 000000006c2b2f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3164] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007781fded 5 bytes JMP 000000006c2b2e90 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000775a5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000775d14a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000775d1590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775d1830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000775d1de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000776275b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3352] C:\Windows\system32\IMM32.DLL!ImmProcessKey 000007fefc6039c8 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000775a5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00000000775d14a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000775d1590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775d16b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775d1710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775d1790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775d1830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775d1ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775d1d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000775d1de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775d22a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775d22f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000776275b0 5 bytes JMP 0000000000020568 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007777fac8 5 bytes JMP 000000006c2b30e0 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007777fc40 5 bytes JMP 000000006c2b2360 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007777fe04 5 bytes JMP 000000006c2b21f0 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007777fe98 5 bytes JMP 000000006c2b27a0 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007777ff64 5 bytes JMP 000000006c2b2650 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077780058 5 bytes JMP 000000006c2b2520 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007778078c 5 bytes JMP 000000006c2b28e0 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077780864 5 bytes JMP 000000006c2b2b70 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007778090c 5 bytes JMP 000000006c2b2e00 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077781068 5 bytes JMP 000000006c2b2a30 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000777810e0 5 bytes JMP 000000006c2b2cc0 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000777996ef 5 bytes JMP 000000006c2b2f80 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007781fded 5 bytes JMP 000000006c2b2e90 .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077731465 2 bytes [73, 77] .text D:\EXE\tsp9vq0s.exe[3200] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777314bb 2 bytes [73, 77] .text ... * 2 ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3404:3264] 000007fefaa72ab8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@jacoblpmmdkbpglkjfhb 0x64 0x62 0x68 0x6E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@haboalcepeplhded 0x61 0x62 0x62 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E815DC1B-5302-89C2-B38C-5010C4C9BACF} ---- EOF - GMER 2.2 ----