GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-11 19:56:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-00ERMA0 rev.15.01H15 465,76GB Running: y2xjljpv.exe; Driver: C:\Users\Grzesiek\AppData\Local\Temp\kxddrfow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074e02097 5 bytes JMP 000000010030fa56 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007707fc30 5 bytes JMP 000000016ff622f0 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007707fdf4 5 bytes JMP 000000016ff62180 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007707fe88 5 bytes JMP 000000016ff625b0 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007707ff54 5 bytes JMP 000000016ff62590 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077080048 5 bytes JMP 000000016ff624b0 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007708077c 5 bytes JMP 000000016ff625d0 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077080854 5 bytes JMP 000000016ff62610 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770808fc 5 bytes JMP 000000016ff62650 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077081058 5 bytes JMP 000000016ff625f0 .text C:\Windows\SysWOW64\ctfmon.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770810d0 5 bytes JMP 000000016ff62630 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Windows\system32\svchost.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007707fc30 5 bytes JMP 000000016ff622f0 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007707fdf4 5 bytes JMP 000000016ff62180 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007707fe88 5 bytes JMP 000000016ff625b0 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007707ff54 5 bytes JMP 000000016ff62590 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077080048 5 bytes JMP 000000016ff624b0 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007708077c 5 bytes JMP 000000016ff625d0 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077080854 5 bytes JMP 000000016ff62610 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770808fc 5 bytes JMP 000000016ff62650 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077081058 5 bytes JMP 000000016ff625f0 .text C:\ProgramData\UWMiniProU\WMiniPro.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770810d0 5 bytes JMP 000000016ff62630 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007707fc30 5 bytes JMP 000000016ff622f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007707fdf4 5 bytes JMP 000000016ff62180 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007707fe88 5 bytes JMP 000000016ff625b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007707ff54 5 bytes JMP 000000016ff62590 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077080048 5 bytes JMP 000000016ff624b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007708077c 5 bytes JMP 000000016ff625d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077080854 5 bytes JMP 000000016ff62610 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000770808fc 5 bytes JMP 000000016ff62650 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077081058 5 bytes JMP 000000016ff625f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000770810d0 5 bytes JMP 000000016ff62630 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077031465 2 bytes [03, 77] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MMLoadDrv.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770314bb 2 bytes [03, 77] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Windows\system32\SearchIndexer.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Windows\system32\svchost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Windows\System32\svchost.exe[4928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Windows\System32\svchost.exe[6124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Windows\system32\WUDFHost.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076ed1590 5 bytes JMP 0000000176e700a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ed16b0 5 bytes JMP 0000000176e70018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ed1710 5 bytes JMP 0000000176e703d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ed1790 5 bytes JMP 0000000176e701b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076ed1830 5 bytes JMP 0000000176e70128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ed1ce0 5 bytes JMP 0000000176e70238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ed1d70 5 bytes JMP 0000000176e702c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076ed1de0 5 bytes JMP 0000000176e70348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ed22a0 5 bytes JMP 0000000176e70458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[4192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ed22f0 5 bytes JMP 0000000176e704e0 ---- EOF - GMER 2.1 ----