GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-23 20:07:14 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.17.0 232,89GB Running: tsp9vq0s.exe; Driver: C:\Users\Leszek\AppData\Local\Temp\kwrdapob.sys ---- User code sections - GMER 2.2 ---- .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bf5b30 5 bytes JMP 00000000000205f0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c214a0 5 bytes JMP 0000000000020678 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c21590 5 bytes JMP 00000000000200a0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c216b0 5 bytes JMP 0000000000020018 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c21710 5 bytes JMP 00000000000203d0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c21790 5 bytes JMP 00000000000201b0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c21830 5 bytes JMP 0000000000020128 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c21ce0 5 bytes JMP 0000000000020238 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c21d70 5 bytes JMP 00000000000202c0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c21de0 5 bytes JMP 0000000000020348 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c222a0 5 bytes JMP 0000000000020458 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c222f0 5 bytes JMP 00000000000204e0 .text D:\PROGRAMY\Bongiovi DPS\Bongiovi DPS.exe[2560] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c775b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077dcfac8 5 bytes JMP 000000006c9330e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dcfc40 5 bytes JMP 000000006c932360 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dcfe04 5 bytes JMP 000000006c9321f0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077dcfe98 5 bytes JMP 000000006c9327a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcff64 5 bytes JMP 000000006c932650 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077dd0058 5 bytes JMP 000000006c932520 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd078c 5 bytes JMP 000000006c9328e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd0864 5 bytes JMP 000000006c932b70 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077dd090c 5 bytes JMP 000000006c932e00 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077dd1068 5 bytes JMP 000000006c932a30 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077dd10e0 5 bytes JMP 000000006c932cc0 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077de96ef 5 bytes JMP 000000006c932f80 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e6fded 5 bytes JMP 000000006c932e90 .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076711465 2 bytes [71, 76] .text C:\Program Files (x86)\Winstep\Nexus.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767114bb 2 bytes [71, 76] .text ... * 2 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077dcfac8 5 bytes JMP 000000006c9330e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dcfc40 5 bytes JMP 000000006c932360 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dcfe04 5 bytes JMP 000000006c9321f0 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077dcfe98 5 bytes JMP 000000006c9327a0 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcff64 5 bytes JMP 000000006c932650 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077dd0058 5 bytes JMP 000000006c932520 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd078c 5 bytes JMP 000000006c9328e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd0864 5 bytes JMP 000000006c932b70 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077dd090c 5 bytes JMP 000000006c932e00 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077dd1068 5 bytes JMP 000000006c932a30 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077dd10e0 5 bytes JMP 000000006c932cc0 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077de96ef 5 bytes JMP 000000006c932f80 .text C:\Program Files (x86)\Adguard\Adguard.exe[2576] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e6fded 5 bytes JMP 000000006c932e90 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bf5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c214a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c21590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c216b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c21710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c21790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c21830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c21ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c21d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c21de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c222a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c222f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c775b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077dcfac8 5 bytes JMP 000000006c9330e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dcfc40 5 bytes JMP 000000006c932360 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dcfe04 5 bytes JMP 000000006c9321f0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077dcfe98 5 bytes JMP 000000006c9327a0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcff64 5 bytes JMP 000000006c932650 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077dd0058 5 bytes JMP 000000006c932520 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd078c 5 bytes JMP 000000006c9328e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd0864 5 bytes JMP 000000006c932b70 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077dd090c 5 bytes JMP 000000006c932e00 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077dd1068 5 bytes JMP 000000006c932a30 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077dd10e0 5 bytes JMP 000000006c932cc0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077de96ef 5 bytes JMP 000000006c932f80 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e6fded 5 bytes JMP 000000006c932e90 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076711465 2 bytes [71, 76] .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767114bb 2 bytes [71, 76] .text ... * 2 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077dcfac8 5 bytes JMP 000000006c9330e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dcfc40 5 bytes JMP 000000006c932360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dcfe04 5 bytes JMP 000000006c9321f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077dcfe98 5 bytes JMP 000000006c9327a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcff64 5 bytes JMP 000000006c932650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077dd0058 5 bytes JMP 000000006c932520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd078c 5 bytes JMP 000000006c9328e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd0864 5 bytes JMP 000000006c932b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077dd090c 5 bytes JMP 000000006c932e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077dd1068 5 bytes JMP 000000006c932a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077dd10e0 5 bytes JMP 000000006c932cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077de96ef 5 bytes JMP 000000006c932f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2220] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e6fded 5 bytes JMP 000000006c932e90 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bf5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c214a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c21590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c216b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c21710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c21790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c21830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c21ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c21d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c21de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c222a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c222f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c775b0 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\system32\IMM32.DLL!ImmProcessKey 000007fefeae39c8 8 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[2156] C:\Windows\system32\IMM32.DLL!ImmProcessKey + 9 000007fefeae39d1 5 bytes [EE, FE, 07, 00, 00] .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bf5b30 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c214a0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c21590 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c216b0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c21710 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c21790 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c21830 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c21ce0 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c21d70 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c21de0 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c222a0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c222f0 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2124] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c775b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bf5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c214a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c21590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c216b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c21710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c21790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c21830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c21ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c21d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c21de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c222a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c222f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c775b0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077bf5b30 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c214a0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c21590 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c216b0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c21710 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c21790 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c21830 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c21ce0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c21d70 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c21de0 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c222a0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c222f0 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077c775b0 5 bytes JMP 0000000000020568 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077dcfac8 5 bytes JMP 000000006c9330e0 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dcfc40 5 bytes JMP 000000006c932360 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dcfe04 5 bytes JMP 000000006c9321f0 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077dcfe98 5 bytes JMP 000000006c9327a0 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077dcff64 5 bytes JMP 000000006c932650 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077dd0058 5 bytes JMP 000000006c932520 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077dd078c 5 bytes JMP 000000006c9328e0 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077dd0864 5 bytes JMP 000000006c932b70 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077dd090c 5 bytes JMP 000000006c932e00 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077dd1068 5 bytes JMP 000000006c932a30 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077dd10e0 5 bytes JMP 000000006c932cc0 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077de96ef 5 bytes JMP 000000006c932f80 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077e6fded 5 bytes JMP 000000006c932e90 .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076711465 2 bytes [71, 76] .text D:\EXE\tsp9vq0s.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767114bb 2 bytes [71, 76] .text ... * 2 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@jacoblpmmdkbpglkjfhb 0x64 0x62 0x68 0x6E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@haboalcepeplhded 0x61 0x62 0x62 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E815DC1B-5302-89C2-B38C-5010C4C9BACF} ---- EOF - GMER 2.2 ----