GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-05 20:15:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.17.0 232,89GB Running: xchfjbnl.exe; Driver: C:\Users\Leszek\AppData\Local\Temp\kwrdapob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000074a230e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000074a22360 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000074a221f0 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000074a227a0 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000074a22650 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000074a22520 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000074a228e0 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000074a22b70 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000074a22e00 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000074a22a30 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000074a22cc0 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000074a22f80 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ff31 5 bytes JMP 0000000074a22e90 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767b1401 2 bytes JMP 75fab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767b1419 2 bytes JMP 75fab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767b1431 2 bytes JMP 76029149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767b144a 2 bytes CALL 75f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767b14dd 2 bytes JMP 76028a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767b14f5 2 bytes JMP 76028c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767b150d 2 bytes JMP 76028938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767b1525 2 bytes JMP 76028d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767b153d 2 bytes JMP 75f9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767b1555 2 bytes JMP 75fa6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767b156d 2 bytes JMP 76029201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767b1585 2 bytes JMP 76028d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767b159d 2 bytes JMP 760288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767b15b5 2 bytes JMP 75f9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767b15cd 2 bytes JMP 75fab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767b16b2 2 bytes JMP 760290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Winstep\Nexus.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767b16bd 2 bytes JMP 76028891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000074a230e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000074a22360 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000074a221f0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000074a227a0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000074a22650 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000074a22520 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000074a228e0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000074a22b70 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000074a22e00 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000074a22a30 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000074a22cc0 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000074a22f80 .text C:\Program Files (x86)\Adguard\Adguard.exe[1628] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ff31 5 bytes JMP 0000000074a22e90 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000074a230e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000074a22360 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000074a221f0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000074a227a0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000074a22650 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000074a22520 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000074a228e0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000074a22b70 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000074a22e00 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000074a22a30 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000074a22cc0 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000074a22f80 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ff31 5 bytes JMP 0000000074a22e90 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767b1401 2 bytes JMP 75fab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767b1419 2 bytes JMP 75fab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767b1431 2 bytes JMP 76029149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767b144a 2 bytes CALL 75f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767b14dd 2 bytes JMP 76028a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767b14f5 2 bytes JMP 76028c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767b150d 2 bytes JMP 76028938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767b1525 2 bytes JMP 76028d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767b153d 2 bytes JMP 75f9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767b1555 2 bytes JMP 75fa6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767b156d 2 bytes JMP 76029201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767b1585 2 bytes JMP 76028d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767b159d 2 bytes JMP 760288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767b15b5 2 bytes JMP 75f9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767b15cd 2 bytes JMP 75fab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767b16b2 2 bytes JMP 760290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767b16bd 2 bytes JMP 76028891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3248] C:\Windows\system32\IMM32.DLL!ImmProcessKey 000007fefc3939c8 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3272] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000074a230e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000074a22360 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000074a221f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000074a227a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000074a22650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000074a22520 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000074a228e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000074a22b70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000074a22e00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000074a22a30 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000074a22cc0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000074a22f80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ff31 5 bytes JMP 0000000074a22e90 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767b1401 2 bytes JMP 75fab233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767b1419 2 bytes JMP 75fab35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767b1431 2 bytes JMP 76029149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767b144a 2 bytes CALL 75f84885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767b14dd 2 bytes JMP 76028a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767b14f5 2 bytes JMP 76028c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767b150d 2 bytes JMP 76028938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767b1525 2 bytes JMP 76028d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767b153d 2 bytes JMP 75f9fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767b1555 2 bytes JMP 75fa6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767b156d 2 bytes JMP 76029201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767b1585 2 bytes JMP 76028d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767b159d 2 bytes JMP 760288fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767b15b5 2 bytes JMP 75f9fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767b15cd 2 bytes JMP 75fab2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767b16b2 2 bytes JMP 760290c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3280] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767b16bd 2 bytes JMP 76028891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\svchost.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\ctfmon.exe[3604] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ec5be0 13 bytes {MOV R11, 0x7fee7ee8a10; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076d99020 13 bytes {MOV R11, 0x7fee1cb4424; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\system32\USER32.dll!GetWindowInfo 0000000076c98b30 13 bytes {MOV R11, 0x7fee2ee2604; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[3600] C:\Windows\system32\IMM32.DLL!ImmProcessKey 000007fefc3939c8 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\notepad.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Windows\explorer.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000076ec40c0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000076eebcc0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076eebdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076eebed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076eebf30 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076eebfb0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076eec050 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076eec500 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076eec590 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076eec600 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076eecac0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076eecb10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\svchost.exe[5056] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000076f42530 5 bytes JMP 0000000000020568 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007709fae8 5 bytes JMP 0000000074a230e0 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007709fc60 5 bytes JMP 0000000074a22360 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007709fe24 5 bytes JMP 0000000074a221f0 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007709feb8 5 bytes JMP 0000000074a227a0 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007709ff84 5 bytes JMP 0000000074a22650 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000770a0078 5 bytes JMP 0000000074a22520 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000770a07ac 5 bytes JMP 0000000074a228e0 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000770a0884 5 bytes JMP 0000000074a22b70 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770a092c 5 bytes JMP 0000000074a22e00 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000770a1088 5 bytes JMP 0000000074a22a30 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770a1100 5 bytes JMP 0000000074a22cc0 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000770b911f 5 bytes JMP 0000000074a22f80 .text D:\EXE\xchfjbnl.exe[4868] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007713ff31 5 bytes JMP 0000000074a22e90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@jacoblpmmdkbpglkjfhb 0x64 0x62 0x68 0x6E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3D466920-8872-8FB1-6BAD-BE26A6BB7547}@haboalcepeplhded 0x61 0x62 0x62 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E815DC1B-5302-89C2-B38C-5010C4C9BACF} ---- EOF - GMER 2.2 ----