GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-16 12:49:48 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e WDC_WD10EZEX-21M2NA0 rev.01.01A01 931,51GB Running: d7wbfz96.exe; Driver: C:\Users\renata\AppData\Local\Temp\agryapod.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffa63184ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffa63184fcc 8 bytes [50, 6E, 91, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffa631852a6 8 bytes [40, 6E, 91, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffa6318549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffa6318583f 8 bytes [20, 6E, 91, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffa63185895 8 bytes [10, 6E, 91, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffa63185a44 8 bytes [00, 6E, 91, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffa63185fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa63200780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffa63200900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa63200930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa63200a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa63200b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa632011c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffa632014c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa63201d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[6684] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffa63184ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffa63184fcc 8 bytes [50, 6E, A7, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffa631852a6 8 bytes [40, 6E, A7, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffa6318549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffa6318583f 8 bytes [20, 6E, A7, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffa63185895 8 bytes [10, 6E, A7, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffa63185a44 8 bytes [00, 6E, A7, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffa63185fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa63200780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffa63200900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa63200930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa63200a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa63200b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa632011c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffa632014c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa63201d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\TeamViewer\tv_w32.exe[6760] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffa63184ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffa63184fcc 8 bytes [50, 6E, 92, 7F, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffa631852a6 8 bytes [40, 6E, 92, 7F, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffa6318549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffa6318583f 8 bytes [20, 6E, 92, 7F, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffa63185895 8 bytes [10, 6E, 92, 7F, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffa63185a44 8 bytes [00, 6E, 92, 7F, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffa63185fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa63200780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffa63200900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa63200930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa63200a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa63200b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa632011c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffa632014c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa63201d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\gghub.exe[4212] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffa63184ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffa63184fcc 8 bytes [50, 6E, 7A, FE, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffa631852a6 8 bytes [40, 6E, 7A, FE, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffa6318549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffa6318583f 8 bytes [20, 6E, 7A, FE, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffa63185895 8 bytes [10, 6E, 7A, FE, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffa63185a44 8 bytes [00, 6E, 7A, FE, 00, 00, 00, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffa63185fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa63200780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffa63200900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa63200930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa63200a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa63200b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa632011c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffa632014c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa63201d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\AppData\Local\GG\Application\ggapp.exe[1344] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffa63184ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffa63184fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffa631852a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffa6318549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffa6318583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffa63185895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffa63185a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffa63185fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa63200780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffa63200900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa63200930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa63200a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa63200b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa632011c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffa632014c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa63201d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4232] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!ShowScrollBar 00007ffa62c51150 5 bytes JMP 00007ff9e2cc0018 .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!SetScrollInfo 00007ffa62c5c760 5 bytes JMP 00007ff9e2c70018 .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!GetScrollInfo 00007ffa62c64810 5 bytes JMP 00007ff9e2c80018 .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!SetScrollRange 00007ffa62c75ea0 5 bytes JMP 00007ff9e2c90018 .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!SetScrollPos 00007ffa62c85080 5 bytes JMP 00007ff9e2d00018 .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!EnableScrollBar 00007ffa62c872f0 5 bytes JMP 00007ff9e2ca0018 .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!GetScrollPos 00007ffa62c8fc70 5 bytes JMP 00007ff9e2cb0018 .text C:\Program Files\CCleaner\CCleaner64.exe[972] C:\Windows\system32\USER32.dll!GetScrollRange 00007ffa62cdedb0 5 bytes JMP 00007ff9e2cf0018 .text C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe[6216] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe[6216] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe[6216] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe[6216] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe[6216] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe[6216] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe[6216] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffa63184ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffa63184fcc 8 bytes [50, 6E, 93, 7E, 00, 00, 00, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffa631852a6 8 bytes [40, 6E, 93, 7E, 00, 00, 00, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffa6318549f 8 bytes {JMP 0xffffffffffffffee} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffa6318583f 8 bytes [20, 6E, 93, 7E, 00, 00, 00, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffa63185895 8 bytes [10, 6E, 93, 7E, 00, 00, 00, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffa63185a44 8 bytes [00, 6E, 93, 7E, 00, 00, 00, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffa63185fe1 8 bytes {JMP 0xffffffffffffff9e} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa63200780 8 bytes {JMP QWORD [RIP-0x7af47]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffa63200900 8 bytes {JMP QWORD [RIP-0x7b071]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa63200930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa63200a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa63200b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa632011c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffa632014c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa63201d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text c:\program files (x86)\teamviewer\TeamViewer_Desktop.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffa63184ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffa63184fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffa631852a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffa6318549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffa6318583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffa63185895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffa63185a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffa63185fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa63200780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffa63200900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa63200930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa63200a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa63200b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa632011c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffa632014c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa63201d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000775113f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077511583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077511621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077511674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000775116d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000775116e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\renata\Downloads\Skanowanie\GMER\d7wbfz96.exe[3944] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077511727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [5564:2040] fffff9600093b2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1727609084 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----