GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-20 17:54:27 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003c WDC_WD10JPVX-22JC3T0 rev.01.01A01 931,51GB Running: v3c0yun4.exe; Driver: C:\Users\Grzegorz\AppData\Local\Temp\kwdiqpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffa3f573e10 7 bytes JMP 00007ffb3e830260 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 00007ffa3f573e20 7 bytes JMP 00007ffb3e830298 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 00007ffa3f6239b0 7 bytes JMP 00007ffb3e830340 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 00007ffa3f623ef0 7 bytes JMP 00007ffb3e8302d0 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 00007ffa3f623fe0 7 bytes JMP 00007ffb3e830308 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffa3f6506c0 7 bytes JMP 00007ffb3e8301f0 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffa3f650730 7 bytes JMP 00007ffb3e830228 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ffa3e8421d0 5 bytes JMP 00007ffb3e830180 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ffa3e8429d0 7 bytes JMP 00007ffb3e8300d8 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffa3e844310 5 bytes JMP 00007ffb3e830110 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ffa3e848d80 5 bytes JMP 00007ffb3e830148 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffa3e8bf0b0 5 bytes JMP 00007ffb3e8301b8 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ffa412d6d90 1 byte JMP 00007ffb3e830420 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\USER32.dll!CreateWindowExW + 2 00007ffa412d6d92 8 bytes {JMP 0xfffffffffd559690} .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ffa412e74a0 5 bytes JMP 00007ffb3e8303e8 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffa412e7560 9 bytes JMP 00007ffb3e830378 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffa412e7730 5 bytes JMP 00007ffb3e830458 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ffa412f6b10 5 bytes JMP 00007ffb3e8303b0 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffa3f361500 1 byte JMP 00007ffb3e830490 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffa3f361502 6 bytes {JMP 0xffffffffff4cef90} .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffa3f361750 8 bytes JMP 00007ffb3e8304c8 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 00007ffa3c627750 5 bytes JMP 00007ffb3c6100d8 .text C:\Windows\system32\dwm.exe[948] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 00007ffa3c628ee0 5 bytes JMP 00007ffb3c610110 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00007ffa3f573e10 7 bytes JMP 00007ffb3e830260 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNEL32.dll!RegQueryValueExW 00007ffa3f573e20 7 bytes JMP 00007ffb3e830298 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNEL32.dll!RegSetValueExW 00007ffa3f6239b0 7 bytes JMP 00007ffb3e830340 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNEL32.dll!RegDeleteValueW 00007ffa3f623ef0 7 bytes JMP 00007ffb3e8302d0 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 00007ffa3f623fe0 7 bytes JMP 00007ffb3e830308 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00007ffa3f6506c0 7 bytes JMP 00007ffb3e8301f0 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00007ffa3f650730 7 bytes JMP 00007ffb3e830228 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ffa3e8421d0 5 bytes JMP 00007ffb3e830180 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ffa3e8429d0 7 bytes JMP 00007ffb3e8300d8 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffa3e844310 5 bytes JMP 00007ffb3e830110 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ffa3e848d80 5 bytes JMP 00007ffb3e830148 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffa3e8bf0b0 5 bytes JMP 00007ffb3e8301b8 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ffa412d6d90 1 byte JMP 00007ffb3e830420 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\USER32.dll!CreateWindowExW + 2 00007ffa412d6d92 8 bytes {JMP 0xfffffffffd559690} .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ffa412e74a0 5 bytes JMP 00007ffb3e8303e8 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffa412e7560 9 bytes JMP 00007ffb3e830378 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffa412e7730 5 bytes JMP 00007ffb3e830458 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ffa412f6b10 5 bytes JMP 00007ffb3e8303b0 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffa3f361500 1 byte JMP 00007ffb3e830490 .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffa3f361502 6 bytes {JMP 0xffffffffff4cef90} .text C:\Program Files (x86)\MSI\Dragon Gaming Center\Dragon Gaming Center.exe[4240] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffa3f361750 8 bytes JMP 00007ffb3e8304c8 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00007ffa3f573e10 7 bytes JMP 00007ffb3e810260 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNEL32.dll!RegQueryValueExW 00007ffa3f573e20 7 bytes JMP 00007ffb3e810298 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNEL32.dll!RegSetValueExW 00007ffa3f6239b0 7 bytes JMP 00007ffb3e810340 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNEL32.dll!RegDeleteValueW 00007ffa3f623ef0 7 bytes JMP 00007ffb3e8102d0 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 00007ffa3f623fe0 7 bytes JMP 00007ffb3e810308 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00007ffa3f6506c0 7 bytes JMP 00007ffb3e8101f0 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00007ffa3f650730 7 bytes JMP 00007ffb3e810228 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ffa3e8421d0 5 bytes JMP 00007ffb3e810180 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ffa3e8429d0 7 bytes JMP 00007ffb3e8100d8 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffa3e844310 5 bytes JMP 00007ffb3e810110 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ffa3e848d80 5 bytes JMP 00007ffb3e810148 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffa3e8bf0b0 5 bytes JMP 00007ffb3e8101b8 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance 00007ffa3ef6d050 7 bytes JMP 00007ffb3e810500 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffa3ef9b170 5 bytes JMP 00007ffb3e810538 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ffa412d6d90 1 byte JMP 00007ffb3e810420 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\USER32.dll!CreateWindowExW + 2 00007ffa412d6d92 8 bytes {JMP 0xfffffffffd539690} .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ffa412e74a0 5 bytes JMP 00007ffb3e8103e8 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffa412e7560 9 bytes JMP 00007ffb3e810378 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffa412e7730 5 bytes JMP 00007ffb3e810458 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ffa412f6b10 5 bytes JMP 00007ffb3e8103b0 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffa3f361500 1 byte JMP 00007ffb3e810490 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffa3f361502 6 bytes {JMP 0xffffffffff4aef90} .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffa3f361750 8 bytes JMP 00007ffb3e8104c8 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\SYSTEM32\d3d9.dll!Direct3DCreate9Ex 00007ffa3353ead0 5 bytes JMP 00007ffa3e8105a8 .text C:\Program Files (x86)\SCM\SCM.exe[4392] C:\Windows\SYSTEM32\d3d9.dll!Direct3DCreate9 00007ffa3356eb90 6 bytes JMP 00007ffa3e810570 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffa416b1270 5 bytes JMP 00007ffac17e0460 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffa416b12c0 1 byte JMP 00007ffac17e0450 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00007ffa416b12c2 3 bytes {JMP 0xffffffff8012f190} .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffa416b1420 5 bytes JMP 00007ffac17e0370 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffa416b1470 5 bytes JMP 00007ffac17e0470 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffa416b1480 5 bytes JMP 00007ffac17e03e0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffa416b1530 5 bytes JMP 00007ffac17e0320 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa416b1560 5 bytes JMP 00007ffac17e03b0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffa416b1580 5 bytes JMP 00007ffac17e0390 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffa416b15c0 5 bytes JMP 00007ffac17e02e0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffa416b1640 1 byte JMP 00007ffac17e02d0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00007ffa416b1642 3 bytes {JMP 0xffffffff8012ec90} .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffa416b1660 5 bytes JMP 00007ffac17e0310 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffa416b16a0 5 bytes JMP 00007ffac17e03c0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffa416b16f0 5 bytes JMP 00007ffac17e03f0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffa416b1850 5 bytes JMP 00007ffac17e0230 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffa416b1a40 5 bytes JMP 00007ffac17e0480 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffa416b1a70 5 bytes JMP 00007ffac17e03a0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffa416b1b90 5 bytes JMP 00007ffac17e02f0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffa416b1bb0 5 bytes JMP 00007ffac17e0350 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffa416b1c20 5 bytes JMP 00007ffac17e0290 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffa416b1cb0 5 bytes JMP 00007ffac17e02b0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa416b1cd0 5 bytes JMP 00007ffac17e03d0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffa416b1ce0 5 bytes JMP 00007ffac17e0330 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffa416b1d90 5 bytes JMP 00007ffac17e0410 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffa416b1dc0 5 bytes JMP 00007ffac17e0240 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffa416b20e0 5 bytes JMP 00007ffac17e01e0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffa416b21a0 5 bytes JMP 00007ffac17e0250 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffa416b21d0 5 bytes JMP 00007ffac17e0490 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffa416b21e0 5 bytes JMP 00007ffac17e04a0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffa416b2210 5 bytes JMP 00007ffac17e0300 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffa416b2220 5 bytes JMP 00007ffac17e0360 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffa416b2280 5 bytes JMP 00007ffac17e02a0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffa416b22d0 5 bytes JMP 00007ffac17e02c0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffa416b2300 5 bytes JMP 00007ffac17e0380 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffa416b2310 5 bytes JMP 00007ffac17e0340 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffa416b2620 5 bytes JMP 00007ffac17e0440 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffa416b2820 5 bytes JMP 00007ffac17e0260 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffa416b2830 5 bytes JMP 00007ffac17e0270 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa416b2850 5 bytes JMP 00007ffac17e0400 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffa416b2a30 5 bytes JMP 00007ffac17e01f0 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffa416b2a40 5 bytes JMP 00007ffac17e0210 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffa416b2ad0 5 bytes JMP 00007ffac17e0200 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffa416b2b40 5 bytes JMP 00007ffac17e0420 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffa416b2b50 5 bytes JMP 00007ffac17e0430 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffa416b2b60 5 bytes JMP 00007ffac17e0220 .text C:\Windows\system32\AUDIODG.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffa416b2c70 5 bytes JMP 00007ffac17e0280 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [648:1104] fffff960008702d0 Thread C:\Windows\system32\svchost.exe [1604:4664] 00007ffa21351600 Thread C:\Windows\system32\svchost.exe [1604:4768] 00007ffa21321b70 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----