GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-07 15:43:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T0L0-0 INTEL_SSDSC2BW120A4 rev.DC22 111,79GB Running: 1es68vz9.exe; Driver: E:\Temp\kwddqkog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2756] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075bf1bb2 5 bytes JMP 00000001010e1179 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000075c478e2 5 bytes JMP 0000000156a3a990 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075c50dfb 5 bytes JMP 0000000156a3ae80 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!GetCursorPos 0000000075c51218 5 bytes JMP 0000000156a39fb0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!SetWindowRgn 0000000075c5284d 5 bytes JMP 0000000156a3d370 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 0000000075c528da 5 bytes JMP 0000000156a39550 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!SetCursor 0000000075c541f6 5 bytes JMP 0000000156a3a4c0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!WindowFromPoint 0000000075c6ed12 5 bytes JMP 0000000156a39ad0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\USER32.dll!AttachThreadInput 0000000075c6f188 5 bytes JMP 0000000156a3ccd0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\shell32.dll!ShellExecuteW 0000000076483c71 5 bytes JMP 0000000156a3ca90 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\COMDLG32.dll!GetOpenFileNameW 00000000778ba2d5 5 bytes JMP 0000000156a3c770 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[2940] C:\Windows\syswow64\COMDLG32.dll!GetSaveFileNameW 00000000778ba36e 5 bytes JMP 0000000156a3c900 .text C:\Program Files (x86)\Steam\Steam.exe[3032] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Steam\Steam.exe[3032] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\No-IP Client\noipclient.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\No-IP Client\noipclient.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\Av\avgfws.exe[3988] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\AVG\Av\avgfws.exe[3988] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[4244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000756d1a22 2 bytes [6D, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[4244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000756d1ad0 2 bytes [6D, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[4244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000756d1b08 2 bytes [6D, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[4244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000756d1bba 2 bytes [6D, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[4244] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000756d1bda 2 bytes [6D, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[4244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[4244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\system32\wbem\unsecapp.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077defc40 5 bytes JMP 0000000169c922f0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077defe04 5 bytes JMP 0000000169c92180 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077defe98 5 bytes JMP 0000000169c925b0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077deff64 5 bytes JMP 0000000169c92590 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077df0058 5 bytes JMP 0000000169c924b0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077df078c 5 bytes JMP 0000000169c925d0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077df0864 5 bytes JMP 0000000169c92610 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077df090c 5 bytes JMP 0000000169c92650 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077df1068 5 bytes JMP 0000000169c925f0 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077df10e0 5 bytes JMP 0000000169c92630 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\system32\svchost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077defc40 5 bytes JMP 0000000169c922f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077defe04 5 bytes JMP 0000000169c92180 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077defe98 5 bytes JMP 0000000169c925b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077deff64 5 bytes JMP 0000000169c92590 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077df0058 5 bytes JMP 0000000169c924b0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077df078c 5 bytes JMP 0000000169c925d0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077df0864 5 bytes JMP 0000000169c92610 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077df090c 5 bytes JMP 0000000169c92650 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077df1068 5 bytes JMP 0000000169c925f0 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077df10e0 5 bytes JMP 0000000169c92630 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\system32\svchost.exe[5248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[5572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[6016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\system32\conhost.exe[6028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[6156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\System32\svchost.exe[6356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077defc40 5 bytes JMP 0000000169c922f0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077defe04 5 bytes JMP 0000000169c92180 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077defe98 5 bytes JMP 0000000169c925b0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077deff64 5 bytes JMP 0000000169c92590 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077df0058 5 bytes JMP 0000000169c924b0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077df078c 5 bytes JMP 0000000169c925d0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077df0864 5 bytes JMP 0000000169c92610 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077df090c 5 bytes JMP 0000000169c92650 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077df1068 5 bytes JMP 0000000169c925f0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077df10e0 5 bytes JMP 0000000169c92630 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper.exe[7700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Program Files (x86)\Common Files\Overwolf\0.91.22.0\OverwolfHelper64.exe[7716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077defc40 5 bytes JMP 0000000169c922f0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077defe04 5 bytes JMP 0000000169c92180 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077defe98 5 bytes JMP 0000000169c925b0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077deff64 5 bytes JMP 0000000169c92590 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077df0058 5 bytes JMP 0000000169c924b0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077df078c 5 bytes JMP 0000000169c925d0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077df0864 5 bytes JMP 0000000169c92610 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077df090c 5 bytes JMP 0000000169c92650 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077df1068 5 bytes JMP 0000000169c925f0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077df10e0 5 bytes JMP 0000000169c92630 .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Overwolf\0.91.22.0\Purplizer\Purplizer.exe[8000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\system32\conhost.exe[8008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[8108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077defc40 5 bytes JMP 0000000169c922f0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077defe04 5 bytes JMP 0000000169c92180 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077defe98 5 bytes JMP 0000000169c925b0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077deff64 5 bytes JMP 0000000169c92590 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077df0058 5 bytes JMP 0000000169c924b0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077df078c 5 bytes JMP 0000000169c925d0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077df0864 5 bytes JMP 0000000169c92610 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077df090c 5 bytes JMP 0000000169c92650 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077df1068 5 bytes JMP 0000000169c925f0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077df10e0 5 bytes JMP 0000000169c92630 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[2436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077defc40 5 bytes JMP 0000000169c922f0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077defe04 5 bytes JMP 0000000169c92180 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077defe98 5 bytes JMP 0000000169c925b0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077deff64 5 bytes JMP 0000000169c92590 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077df0058 5 bytes JMP 0000000169c924b0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077df078c 5 bytes JMP 0000000169c925d0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077df0864 5 bytes JMP 0000000169c92610 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077df090c 5 bytes JMP 0000000169c92650 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077df1068 5 bytes JMP 0000000169c925f0 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077df10e0 5 bytes JMP 0000000169c92630 .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d31465 2 bytes [D3, 75] .text C:\Program Files (x86)\Overwolf\0.91.22.0\OverwolfBrowser.exe[7260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d314bb 2 bytes [D3, 75] .text ... * 2 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c41590 5 bytes JMP 0000000077da00a0 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c416b0 5 bytes JMP 0000000077da0018 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c41710 5 bytes JMP 0000000077da03d0 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c41790 5 bytes JMP 0000000077da01b0 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c41830 5 bytes JMP 0000000077da0128 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c41ce0 5 bytes JMP 0000000077da0238 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c41d70 5 bytes JMP 0000000077da02c0 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c41de0 5 bytes JMP 0000000077da0348 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c422a0 5 bytes JMP 0000000077da0458 .text C:\Windows\system32\taskmgr.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c422f0 5 bytes JMP 0000000077da04e0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fee4c3741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fee4c35f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fee4c35674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fee4c35e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fee4c37f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fee4c36a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fee4c36ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fee4c37b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fee4c37ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fee4c378b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fee4c34fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fee4c35d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4492] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fee4c37584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2336] (GG drive overlay/GG Network S.A.)(2012-10-18 02:55:43) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Program Files\NetWorx\networx.exe [2800] (GG drive overlay/GG Network S.A.)( 000000005c080000 ---- EOF - GMER 2.1 ----