GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-22 12:20:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005c WDC_____ rev.05.0 465,76GB Running: 9iy5scbi.exe; Driver: C:\Users\admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000177490128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000177490018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000001774901b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000177490238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000001774902c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000001774900a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0xfffffffffffd2590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2880] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000077770128 .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000077770018 .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000000777701b0 .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770238 .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000000777700a0 .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0x2b2590} .text C:\Windows\system32\igfxHK.exe[2628] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000077770128 .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000077770018 .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000000777701b0 .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770238 .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000000777700a0 .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0x2b2590} .text C:\Windows\system32\igfxTray.exe[3036] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000077770128 .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000077770018 .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000000777701b0 .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770238 .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000000777700a0 .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0x2b2590} .text C:\Windows\system32\igfxEM.exe[2692] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000077770128 .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000077770018 .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000000777701b0 .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770238 .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000000777700a0 .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0x2b2590} .text C:\Windows\system32\sppsvc.exe[1908] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000077770128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000077770018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000000777701b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000000777702c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000000777700a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0x2b2590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3204] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3264] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3264] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes JMP 770ab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes JMP 770ab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes JMP 77128fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes CALL 7708489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes JMP 771288c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes JMP 77128aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes JMP 771287ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes JMP 77128b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes JMP 7709fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes JMP 770a68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes JMP 77129089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes JMP 77128bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes JMP 7712877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes JMP 7709fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes JMP 770ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes JMP 77128f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes JMP 77128713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3332] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3332] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Windows\system32\SearchIndexer.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000077770128 .text C:\Windows\system32\SearchIndexer.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000077770018 .text C:\Windows\system32\SearchIndexer.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000000777701b0 .text C:\Windows\system32\SearchIndexer.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770238 .text C:\Windows\system32\SearchIndexer.exe[3536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\SearchIndexer.exe[3536] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3660] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000177490128 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000177490018 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000001774901b0 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000177490238 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000001774902c0 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000001774900a0 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0xfffffffffffd2590} .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Windows\SysWOW64\ctfmon.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Windows\SysWOW64\ctfmon.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Windows\SysWOW64\ctfmon.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Windows\SysWOW64\ctfmon.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Windows\SysWOW64\ctfmon.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Windows\SysWOW64\ctfmon.exe[4088] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Windows\SysWOW64\ctfmon.exe[4088] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007760dc30 5 bytes JMP 0000000077770128 .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007760dd50 5 bytes JMP 0000000077770018 .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007760de30 5 bytes JMP 00000000777701b0 .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007760e380 5 bytes JMP 0000000077770238 .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007760e410 5 bytes JMP 00000000777702c0 .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000774bdb10 1 byte JMP 00000000777700a0 .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000774bdb12 3 bytes {JMP 0x2b2590} .text C:\Windows\servicing\TrustedInstaller.exe[2988] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007fefc396f00 5 bytes JMP 000007fff4b01f50 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4572] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4572] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4572] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[4292] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[4292] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[4292] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[4292] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[4292] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[4292] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[4292] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4464] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4464] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3604] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3604] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4380] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000777bfc90 5 bytes JMP 0000000173081c00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4380] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000777bfe54 5 bytes JMP 0000000173081820 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4380] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000777bffb4 5 bytes JMP 0000000173081ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4380] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000777c07dc 5 bytes JMP 0000000173081ee0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4380] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000777c08b4 5 bytes JMP 0000000173081f00 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4380] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077093bab 5 bytes JMP 0000000173081990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4380] C:\Windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076f93b49 5 bytes JMP 0000000173081de0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5108:3104] 0000000075af7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5108:4224] 000000005f24758a Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5108:4256] 00000000777dc557 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5108:4008] 00000000777f27c1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5108:1896] 00000000777f27c1 ---- EOF - GMER 2.1 ----