GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-11 11:27:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0003SDM1 465,76GB Running: i334bk0j.exe; Driver: C:\Users\ASUS\AppData\Local\Temp\aftcqaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Windows\system32\wbem\wmiprvse.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Windows\system32\Dwm.exe[3596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Windows\Explorer.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Program Files\Microsoft Security Client\msseces.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007717fc90 5 bytes JMP 00000001716e23d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007717fe54 5 bytes JMP 00000001716e2260 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007717fee8 5 bytes JMP 00000001716e2690 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007717ffb4 5 bytes JMP 00000001716e2670 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000771800a8 5 bytes JMP 00000001716e2590 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000771807dc 5 bytes JMP 00000001716e26b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000771808b4 5 bytes JMP 00000001716e26f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007718095c 5 bytes JMP 00000001716e2730 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000771810b8 5 bytes JMP 00000001716e26d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077181130 5 bytes JMP 00000001716e2710 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077131401 2 bytes JMP 7504b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077131419 2 bytes JMP 7504b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077131431 2 bytes JMP 750c9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007713144a 2 bytes CALL 750248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771314dd 2 bytes JMP 750c890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771314f5 2 bytes JMP 750c8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007713150d 2 bytes JMP 750c8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077131525 2 bytes JMP 750c8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007713153d 2 bytes JMP 7503fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077131555 2 bytes JMP 75046907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007713156d 2 bytes JMP 750c90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077131585 2 bytes JMP 750c8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007713159d 2 bytes JMP 750c87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771315b5 2 bytes JMP 7503fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771315cd 2 bytes JMP 7504b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771316b2 2 bytes JMP 750c8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771316bd 2 bytes JMP 750c8759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Windows\system32\SearchIndexer.exe[4080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fcdc30 5 bytes JMP 0000000176f700a0 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fcdd50 5 bytes JMP 0000000176f70018 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fcddb0 5 bytes JMP 0000000176f703d0 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fcde30 5 bytes JMP 0000000176f701b0 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fcded0 5 bytes JMP 0000000176f70128 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fce380 5 bytes JMP 0000000176f70238 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fce410 5 bytes JMP 0000000176f702c0 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fce480 5 bytes JMP 0000000176f70348 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fce940 5 bytes JMP 0000000176f70458 .text C:\Windows\system32\svchost.exe[4356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fce990 5 bytes JMP 0000000176f704e0 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007717fc90 5 bytes JMP 00000001716e23d0 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007717fe54 5 bytes JMP 00000001716e2260 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007717fee8 5 bytes JMP 00000001716e2690 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 000000007717ffb4 5 bytes JMP 00000001716e2670 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000771800a8 5 bytes JMP 00000001716e2590 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000771807dc 5 bytes JMP 00000001716e26b0 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000771808b4 5 bytes JMP 00000001716e26f0 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007718095c 5 bytes JMP 00000001716e2730 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000771810b8 5 bytes JMP 00000001716e26d0 .text C:\Windows\SysWOW64\ctfmon.exe[4592] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077181130 5 bytes JMP 00000001716e2710 ---- EOF - GMER 2.1 ----