GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-29 23:06:58 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: 7j3wx5pl.exe; Driver: C:\Users\Tays\AppData\Local\Temp\awlcraoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Windows\System32\hkcmd.exe[3468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Windows\System32\igfxpers.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Program Files\Elantech\ETDCtrl.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Users\Tays\AppData\Roaming\uTorrent\uTorrent.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[3648] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3644] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[3596] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a21465 2 bytes [A2, 76] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a214bb 2 bytes [A2, 76] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Windows\system32\SearchIndexer.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Windows\system32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Windows\system32\svchost.exe[4900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Windows\System32\svchost.exe[5044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Windows\SysWOW64\ctfmon.exe[5200] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4168] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b5fbe0 5 bytes JMP 00000001751c23d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b5fda4 5 bytes JMP 00000001751c2260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077b5fe38 5 bytes JMP 00000001751c2690 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077b5ff04 5 bytes JMP 00000001751c2670 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077b5fff8 5 bytes JMP 00000001751c2590 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077b6072c 5 bytes JMP 00000001751c26b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077b60804 5 bytes JMP 00000001751c26f0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077b608ac 5 bytes JMP 00000001751c2730 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077b61008 5 bytes JMP 00000001751c26d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5708] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077b61080 5 bytes JMP 00000001751c2710 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779af930 5 bytes JMP 00000001778300a0 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779afa50 5 bytes JMP 0000000177830018 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779afab0 5 bytes JMP 00000001778303d0 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779afb30 5 bytes JMP 00000001778301b0 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779afbd0 5 bytes JMP 0000000177830128 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779b0080 5 bytes JMP 0000000177830238 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779b0110 5 bytes JMP 00000001778302c0 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000779b0180 5 bytes JMP 0000000177830348 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779b0640 5 bytes JMP 0000000177830458 .text C:\Windows\system32\wuauclt.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779b0690 5 bytes JMP 00000001778304e0 ---- Processes - GMER 2.1 ---- Process C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe (*** suspicious ***) @ C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe [4064] (WebHelper/BitTorrent Inc.)(2016-02-10 19:17:31) 0000000001360000 Process C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe (*** suspicious ***) @ C:\Users\Tays\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe [4140] (WebHelper/BitTorrent Inc.)(2016-02-10 19:17:31) 0000000001360000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556] (Python Core/Python Software Foundation)(2016-02-29 18:01:27) 000000001e000000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:28) 000000001e8c0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:24) 000000001e7a0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:28) 0000000002620000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:29) 000000001e800000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:25) 0000000010000000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:32) 0000000002f10000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wxbase30u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556] (wxWidgets base library/wxWidgets development team)(2016-02-29 18:01:34) 0000000003040000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wxbase30u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556] (wxWidgets network library/wxWidgets development team)(2016-02-29 18:01:34) 0000000000770000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wxmsw30u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556] (wxWidgets core library/wxWidgets development team)(2016-02-29 18:01:34) 0000000003240000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wxmsw30u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556] (wxWidgets advanced library/wxWidgets development team)(2016-02-29 18:01:34) 0000000003710000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:33) 0000000003950000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:33) 0000000004230000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wxmsw30u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556] (wxWidgets html library/wxWidgets development team)(2016-02-29 18:01:34) 0000000004300000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:32) 00000000045c0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:33) 00000000046d0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:27) 0000000004790000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:24) 000000001d1a0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:29) 000000001ea10000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:31) 000000001ec80000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:26) 0000000000810000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\thumbnails_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:28) 0000000000820000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\usb_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:28) 0000000000940000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:30) 000000001ea40000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:29) 000000001e9b0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:25) 0000000000830000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:25) 0000000004840000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:25) 000000001d100000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:27) 0000000001f60000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\common.time34.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:26) 0000000000850000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_psutil_windows.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:25) 0000000001fd0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:30) 000000001eaa0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:29) 000000001e980000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:33) 0000000002690000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wxmsw30u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556] (wxWidgets webview library/wxWidgets development team)(2016-02-29 18:01:35) 00000000026c0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:25) 00000000026e0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\_yappi.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:25) 00000000026f0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:31) 000000001ebf0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:28) 0000000005a40000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:32) 00000000043a0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:34) 00000000043d0000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:30) 000000001eb90000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:28) 0000000004410000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:30) 000000001eb60000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:31) 000000001ec20000 Library C:\Users\Tays\AppData\Local\Temp\_MEI36202\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [4556](2016-02-29 18:01:31) 000000001ed40000 ---- Files - GMER 2.1 ---- File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9C9C.tmp 28134 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9C9D.tmp 28134 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9C9E.tmp 28134 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9C9F.tmp 28134 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9CA0.tmp 0 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9CA1.tmp 0 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9CD1.tmp 28134 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9CD2.tmp 28134 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9CD3.tmp 28134 bytes File C:\Users\Tays\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9CD4.tmp 28134 bytes ---- EOF - GMER 2.1 ----