GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-10 17:15:37 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\00000057 ST1000DM rev.CC45 931,51GB Running: 9uo0ls8e.exe; Driver: C:\Users\dom\AppData\Local\Temp\uxriqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[2496] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\Explorer.EXE[2496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\Explorer.EXE[2496] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\Explorer.EXE[2496] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Windows\system32\Dwm.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\system32\Dwm.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\system32\Dwm.exe[2644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\system32\Dwm.exe[2644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\ProgramData\aWMiniProa\WMiniPro.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\ProgramData\aWMiniProa\WMiniPro.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\ProgramData\aWMiniProa\WMiniPro.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\ProgramData\aWMiniProa\WMiniPro.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\ProgramData\aWMiniProa\WMiniPro.exe[2744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2788] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2788] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2804] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764a1401 2 bytes JMP 75efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764a1419 2 bytes JMP 75f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764a1431 2 bytes JMP 75f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764a144a 2 bytes CALL 75ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764a14dd 2 bytes JMP 75f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764a14f5 2 bytes JMP 75f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764a150d 2 bytes JMP 75f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764a1525 2 bytes JMP 75f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764a153d 2 bytes JMP 75eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764a1555 2 bytes JMP 75f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764a156d 2 bytes JMP 75f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764a1585 2 bytes JMP 75f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764a159d 2 bytes JMP 75f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764a15b5 2 bytes JMP 75eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764a15cd 2 bytes JMP 75f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764a16b2 2 bytes JMP 75f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764a16bd 2 bytes JMP 75f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000074f311a8 2 bytes [F3, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 0000000074f3127d 2 bytes CALL 75ee14dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000074f313a8 2 bytes [F3, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074f31422 2 bytes [F3, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2844] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074f31498 2 bytes [F3, 74] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2920] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2920] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2920] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2928] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764a1401 2 bytes JMP 75efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764a1419 2 bytes JMP 75f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764a1431 2 bytes JMP 75f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764a144a 2 bytes CALL 75ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764a14dd 2 bytes JMP 75f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764a14f5 2 bytes JMP 75f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764a150d 2 bytes JMP 75f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764a1525 2 bytes JMP 75f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764a153d 2 bytes JMP 75eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764a1555 2 bytes JMP 75f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764a156d 2 bytes JMP 75f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764a1585 2 bytes JMP 75f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764a159d 2 bytes JMP 75f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764a15b5 2 bytes JMP 75eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764a15cd 2 bytes JMP 75f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764a16b2 2 bytes JMP 75f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2968] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764a16bd 2 bytes JMP 75f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ctfmon.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Windows\SysWOW64\ctfmon.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Windows\SysWOW64\ctfmon.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Windows\SysWOW64\ctfmon.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Windows\SysWOW64\ctfmon.exe[1316] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Windows\system32\SearchIndexer.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\system32\SearchIndexer.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\system32\SearchIndexer.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\system32\SearchIndexer.exe[3668] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\system32\svchost.exe[4036] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!DispatchMessageW 00000000763a7deb 5 bytes JMP 00000001707ba4b0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!DispatchMessageA 00000000763a8103 5 bytes JMP 00000001707ba480 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000763a8b9a 5 bytes JMP 00000001707bae90 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000763aa5e6 5 bytes JMP 00000001707bad50 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!SetWindowPos 00000000763acdb4 5 bytes JMP 00000001707ba610 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000763b0112 5 bytes JMP 00000001707ba7d0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000763b0dbe 5 bytes JMP 00000001707ba4e0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!EndPaint 00000000763b0e9a 5 bytes JMP 00000001707ba8b0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!BeginPaint 00000000763b0eba 5 bytes JMP 00000001707ba850 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 00000000763b1d34 5 bytes JMP 00000001707ba710 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!DestroyWindow 00000000763b1e6e 5 bytes JMP 00000001707ba5e0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 00000000763b260a 5 bytes JMP 00000001707bacd0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!WindowFromPoint 00000000763b2ddb 5 bytes JMP 00000001707b9db0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!SetCapture 00000000763b2ed1 5 bytes JMP 00000001707ba750 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!SetCursor 00000000763b4076 5 bytes JMP 00000001707b9d90 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!BringWindowToTop 00000000763b7ba7 5 bytes JMP 00000001707ba830 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!AnimateWindow 00000000763c2b8d 5 bytes JMP 00000001707ba680 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindow 00000000763c30a6 5 bytes JMP 00000001707bac00 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000763ced58 5 bytes JMP 00000001707ba770 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077765ea6 5 bytes JMP 00000001707b9de0 .text C:\PROGRA~2\Raptr\raptr.exe[2392] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007776ba55 5 bytes JMP 00000001707ba050 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\System32\svchost.exe[3352] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764a1401 2 bytes JMP 75efeb26 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764a1419 2 bytes JMP 75f0b513 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764a1431 2 bytes JMP 75f88609 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764a144a 2 bytes CALL 75ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764a14dd 2 bytes JMP 75f87efe C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764a14f5 2 bytes JMP 75f880d8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764a150d 2 bytes JMP 75f87df4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764a1525 2 bytes JMP 75f881c2 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764a153d 2 bytes JMP 75eff088 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764a1555 2 bytes JMP 75f0b885 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764a156d 2 bytes JMP 75f886c1 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764a1585 2 bytes JMP 75f88222 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764a159d 2 bytes JMP 75f87db8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764a15b5 2 bytes JMP 75eff121 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764a15cd 2 bytes JMP 75f0b29f C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764a16b2 2 bytes JMP 75f88584 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~2\Raptr\raptr_im.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764a16bd 2 bytes JMP 75f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\wmiprvse.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\system32\wbem\wmiprvse.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\system32\wbem\wmiprvse.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2388] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4780] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4128] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4128] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4180] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2616] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2616] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077dffbf0 5 bytes JMP 0000000172a519d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077dffdb4 1 byte JMP 0000000172a515f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 2 0000000077dffdb6 3 bytes {JMP 0xfffffffffac5183c} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4204] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077e00008 5 bytes JMP 0000000172a51bb0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4204] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075ef117b 5 bytes JMP 0000000172a51760 .text C:\Users\dom\Downloads\FRST64.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Users\dom\Downloads\FRST64.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Users\dom\Downloads\FRST64.exe[3908] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Users\dom\Downloads\FRST64.exe[3908] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\system32\notepad.exe[5064] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Windows\system32\notepad.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\system32\notepad.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\system32\notepad.exe[3644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\system32\notepad.exe[3644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 .text C:\Windows\system32\notepad.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c50130 5 bytes JMP 0000000077db0128 .text C:\Windows\system32\notepad.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c50250 5 bytes JMP 0000000077db0018 .text C:\Windows\system32\notepad.exe[4336] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c503d0 5 bytes JMP 0000000077db01b0 .text C:\Windows\system32\notepad.exe[4336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000077afa600 5 bytes JMP 0000000077db00a0 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\aWMiniProa\WMiniPro.exe (*** suspicious ***) @ C:\ProgramData\aWMiniProa\WMiniPro.exe [2744] (DTools/DTools LIMITED)(2015-11-09 21:07:36) 00000000011a0000 ---- EOF - GMER 2.1 ----