GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-04 19:06:12 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000528AS rev.CC34 931,51GB Running: f43d70v7.exe; Driver: C:\Users\Piotrek\AppData\Local\Temp\kwdiipoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075631401 2 bytes JMP 74efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075631419 2 bytes JMP 74f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075631431 2 bytes JMP 74f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007563144a 2 bytes CALL 74ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756314dd 2 bytes JMP 74f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756314f5 2 bytes JMP 74f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007563150d 2 bytes JMP 74f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075631525 2 bytes JMP 74f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007563153d 2 bytes JMP 74eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075631555 2 bytes JMP 74f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007563156d 2 bytes JMP 74f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075631585 2 bytes JMP 74f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007563159d 2 bytes JMP 74f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756315b5 2 bytes JMP 74eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756315cd 2 bytes JMP 74f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756316b2 2 bytes JMP 74f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756316bd 2 bytes JMP 74f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075631401 2 bytes JMP 74efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075631419 2 bytes JMP 74f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075631431 2 bytes JMP 74f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007563144a 2 bytes CALL 74ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756314dd 2 bytes JMP 74f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756314f5 2 bytes JMP 74f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007563150d 2 bytes JMP 74f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075631525 2 bytes JMP 74f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007563153d 2 bytes JMP 74eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075631555 2 bytes JMP 74f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007563156d 2 bytes JMP 74f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075631585 2 bytes JMP 74f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007563159d 2 bytes JMP 74f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756315b5 2 bytes JMP 74eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756315cd 2 bytes JMP 74f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756316b2 2 bytes JMP 74f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2332] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756316bd 2 bytes JMP 74f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075631401 2 bytes JMP 74efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075631419 2 bytes JMP 74f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075631431 2 bytes JMP 74f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007563144a 2 bytes CALL 74ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000756314dd 2 bytes JMP 74f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000756314f5 2 bytes JMP 74f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007563150d 2 bytes JMP 74f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075631525 2 bytes JMP 74f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007563153d 2 bytes JMP 74eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075631555 2 bytes JMP 74f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007563156d 2 bytes JMP 74f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075631585 2 bytes JMP 74f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007563159d 2 bytes JMP 74f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000756315b5 2 bytes JMP 74eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000756315cd 2 bytes JMP 74f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000756316b2 2 bytes JMP 74f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[3800] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000756316bd 2 bytes JMP 74f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075631401 2 bytes JMP 74efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075631419 2 bytes JMP 74f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075631431 2 bytes JMP 74f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007563144a 2 bytes CALL 74ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756314dd 2 bytes JMP 74f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756314f5 2 bytes JMP 74f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007563150d 2 bytes JMP 74f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075631525 2 bytes JMP 74f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007563153d 2 bytes JMP 74eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075631555 2 bytes JMP 74f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007563156d 2 bytes JMP 74f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075631585 2 bytes JMP 74f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007563159d 2 bytes JMP 74f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756315b5 2 bytes JMP 74eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756315cd 2 bytes JMP 74f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756316b2 2 bytes JMP 74f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756316bd 2 bytes JMP 74f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007724f951 7 bytes {MOV EDX, 0xd61ae8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 000000007724f9cd 7 bytes {MOV EDX, 0xd619a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 000000007724fae5 7 bytes {MOV EDX, 0xd61968; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007724fb95 7 bytes {MOV EDX, 0xd61b28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007724fbc5 7 bytes {MOV EDX, 0xd61a68; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007724fbdd 7 bytes {MOV EDX, 0xd61928; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007724fbf5 7 bytes {MOV EDX, 0xd61be8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007724fc25 7 bytes {MOV EDX, 0xd61c28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007724fca5 7 bytes {MOV EDX, 0xd61ba8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007724fcbd 7 bytes {MOV EDX, 0xd61b68; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007724fd09 7 bytes {MOV EDX, 0xd61868; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007724fe01 7 bytes {MOV EDX, 0xd618a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077250059 7 bytes {MOV EDX, 0xd61828; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000077250fbd 7 bytes {MOV EDX, 0xd619e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077251065 7 bytes {MOV EDX, 0xd61aa8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772510dd 7 bytes {MOV EDX, 0xd61a28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772512e1 7 bytes {MOV EDX, 0xd618e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075631401 2 bytes JMP 74efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075631419 2 bytes JMP 74f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075631431 2 bytes JMP 74f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007563144a 2 bytes CALL 74ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756314dd 2 bytes JMP 74f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756314f5 2 bytes JMP 74f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007563150d 2 bytes JMP 74f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075631525 2 bytes JMP 74f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007563153d 2 bytes JMP 74eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075631555 2 bytes JMP 74f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007563156d 2 bytes JMP 74f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075631585 2 bytes JMP 74f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007563159d 2 bytes JMP 74f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756315b5 2 bytes JMP 74eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756315cd 2 bytes JMP 74f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756316b2 2 bytes JMP 74f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756316bd 2 bytes JMP 74f87d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007724f951 7 bytes {MOV EDX, 0xf9eae8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 000000007724f9cd 7 bytes {MOV EDX, 0xf9e9a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 000000007724fae5 7 bytes {MOV EDX, 0xf9e968; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007724fb95 7 bytes {MOV EDX, 0xf9eb28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007724fbc5 7 bytes {MOV EDX, 0xf9ea68; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007724fbdd 7 bytes {MOV EDX, 0xf9e928; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007724fbf5 7 bytes {MOV EDX, 0xf9ebe8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007724fc25 7 bytes {MOV EDX, 0xf9ec28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007724fca5 7 bytes {MOV EDX, 0xf9eba8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007724fcbd 7 bytes {MOV EDX, 0xf9eb68; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007724fd09 7 bytes {MOV EDX, 0xf9e868; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007724fe01 7 bytes {MOV EDX, 0xf9e8a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077250059 7 bytes {MOV EDX, 0xf9e828; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000077250fbd 7 bytes {MOV EDX, 0xf9e9e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077251065 7 bytes {MOV EDX, 0xf9eaa8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772510dd 7 bytes {MOV EDX, 0xf9ea28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772512e1 7 bytes {MOV EDX, 0xf9e8e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075631401 2 bytes JMP 74efeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075631419 2 bytes JMP 74f0b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075631431 2 bytes JMP 74f88609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007563144a 2 bytes CALL 74ee1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756314dd 2 bytes JMP 74f87efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756314f5 2 bytes JMP 74f880d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007563150d 2 bytes JMP 74f87df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075631525 2 bytes JMP 74f881c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007563153d 2 bytes JMP 74eff088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075631555 2 bytes JMP 74f0b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007563156d 2 bytes JMP 74f886c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075631585 2 bytes JMP 74f88222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007563159d 2 bytes JMP 74f87db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756315b5 2 bytes JMP 74eff121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756315cd 2 bytes JMP 74f0b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756316b2 2 bytes JMP 74f88584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756316bd 2 bytes JMP 74f87d4d C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\NVIDIA\Updatus\ApplicationOntology\Ontology.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1544] (Application Ontology library/NVIDIA Corporation)(2015-12-31 10:46:04) 00000000745a0000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{25F61ECA-937E-4ED4-B3E2-B385C0A3CD8F}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [2136] (Microsoft Malware Protection Engine/Microsoft Corporation)(2016-01-03 18:49:56) 000007fef6010000 Process C:\Users\Piotrek\AppData\Roaming\Spotify\SpotifyWebHelper.exe (*** suspicious ***) @ C:\Users\Piotrek\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2104] (SpotifyWebHelper/Spotify Ltd)(2015-03-11 19:58:36) 0000000000400000 ---- EOF - GMER 2.1 ----