GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-09 20:57:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 PLEXTOR_ rev.1.08 119,24GB Running: 6k68n38m.exe; Driver: C:\Users\Adam\AppData\Local\Temp\aftcqaow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074bd1401 2 bytes JMP 76c6b233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074bd1419 2 bytes JMP 76c6b35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074bd1431 2 bytes JMP 76ce9011 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074bd144a 2 bytes CALL 76c448ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074bd14dd 2 bytes JMP 76ce890a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074bd14f5 2 bytes JMP 76ce8ae0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074bd150d 2 bytes JMP 76ce8800 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074bd1525 2 bytes JMP 76ce8bca C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074bd153d 2 bytes JMP 76c5fcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074bd1555 2 bytes JMP 76c66907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074bd156d 2 bytes JMP 76ce90c9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074bd1585 2 bytes JMP 76ce8c2a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074bd159d 2 bytes JMP 76ce87c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074bd15b5 2 bytes JMP 76c5fd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074bd15cd 2 bytes JMP 76c6b2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074bd16b2 2 bytes JMP 76ce8f8c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1456] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074bd16bd 2 bytes JMP 76ce8759 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074bd1401 2 bytes JMP 76c6b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074bd1419 2 bytes JMP 76c6b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074bd1431 2 bytes JMP 76ce9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074bd144a 2 bytes CALL 76c448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074bd14dd 2 bytes JMP 76ce890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074bd14f5 2 bytes JMP 76ce8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074bd150d 2 bytes JMP 76ce8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074bd1525 2 bytes JMP 76ce8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074bd153d 2 bytes JMP 76c5fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074bd1555 2 bytes JMP 76c66907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074bd156d 2 bytes JMP 76ce90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074bd1585 2 bytes JMP 76ce8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074bd159d 2 bytes JMP 76ce87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074bd15b5 2 bytes JMP 76c5fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074bd15cd 2 bytes JMP 76c6b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074bd16b2 2 bytes JMP 76ce8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1608] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074bd16bd 2 bytes JMP 76ce8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074bd1401 2 bytes JMP 76c6b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074bd1419 2 bytes JMP 76c6b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074bd1431 2 bytes JMP 76ce9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074bd144a 2 bytes CALL 76c448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074bd14dd 2 bytes JMP 76ce890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074bd14f5 2 bytes JMP 76ce8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074bd150d 2 bytes JMP 76ce8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074bd1525 2 bytes JMP 76ce8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074bd153d 2 bytes JMP 76c5fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074bd1555 2 bytes JMP 76c66907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074bd156d 2 bytes JMP 76ce90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074bd1585 2 bytes JMP 76ce8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074bd159d 2 bytes JMP 76ce87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074bd15b5 2 bytes JMP 76c5fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074bd15cd 2 bytes JMP 76c6b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074bd16b2 2 bytes JMP 76ce8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074bd16bd 2 bytes JMP 76ce8759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007705dc30 5 bytes JMP 00000001770000a0 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007705dd50 5 bytes JMP 0000000177000018 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007705ddb0 5 bytes JMP 00000001770003d0 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007705de30 5 bytes JMP 00000001770001b0 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007705ded0 5 bytes JMP 0000000177000128 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007705e380 5 bytes JMP 0000000177000238 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007705e410 5 bytes JMP 00000001770002c0 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007705e480 5 bytes JMP 0000000177000348 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007705e940 5 bytes JMP 0000000177000458 .text C:\Windows\system32\SearchIndexer.exe[4764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007705e990 5 bytes JMP 00000001770004e0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe[4908] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007720fc90 5 bytes JMP 00000001740823d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007720fe54 5 bytes JMP 0000000174082260 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007720fee8 5 bytes JMP 0000000174082690 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007720ffb4 5 bytes JMP 0000000174082670 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772100a8 5 bytes JMP 0000000174082590 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772107dc 5 bytes JMP 00000001740826b0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772108b4 5 bytes JMP 00000001740826f0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007721095c 5 bytes JMP 0000000174082730 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772110b8 5 bytes JMP 00000001740826d0 .text C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe[4988] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077211130 5 bytes JMP 0000000174082710 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007705dc30 5 bytes JMP 00000001770000a0 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007705dd50 5 bytes JMP 0000000177000018 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007705ddb0 5 bytes JMP 00000001770003d0 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007705de30 5 bytes JMP 00000001770001b0 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007705ded0 5 bytes JMP 0000000177000128 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007705e380 5 bytes JMP 0000000177000238 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007705e410 5 bytes JMP 00000001770002c0 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007705e480 5 bytes JMP 0000000177000348 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007705e940 5 bytes JMP 0000000177000458 .text C:\Windows\System32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007705e990 5 bytes JMP 00000001770004e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007705dc30 5 bytes JMP 00000001770000a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007705dd50 5 bytes JMP 0000000177000018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007705ddb0 5 bytes JMP 00000001770003d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007705de30 5 bytes JMP 00000001770001b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007705ded0 5 bytes JMP 0000000177000128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007705e380 5 bytes JMP 0000000177000238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007705e410 5 bytes JMP 00000001770002c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007705e480 5 bytes JMP 0000000177000348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007705e940 5 bytes JMP 0000000177000458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007705e990 5 bytes JMP 00000001770004e0 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007705dc30 5 bytes JMP 00000001770000a0 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007705dd50 5 bytes JMP 0000000177000018 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007705ddb0 5 bytes JMP 00000001770003d0 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007705de30 5 bytes JMP 00000001770001b0 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007705ded0 5 bytes JMP 0000000177000128 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007705e380 5 bytes JMP 0000000177000238 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007705e410 5 bytes JMP 00000001770002c0 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007705e480 5 bytes JMP 0000000177000348 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007705e940 5 bytes JMP 0000000177000458 .text C:\Windows\system32\taskeng.exe[5856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007705e990 5 bytes JMP 00000001770004e0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2984] 00000000772427c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3004] 000000007722c557 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2092] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2184] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2152] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2388] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:1964] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:1820] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2784] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2172] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:1564] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3732] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3352] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3780] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3368] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3376] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3288] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3876] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:2992] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3372] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3800] 00000000772427c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3700] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:3560] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:5516] 000000006ce829e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2864:5520] 000000006ce829e1 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d3f518 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d3f518 (not active ControlSet) ---- EOF - GMER 2.1 ----