GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-04 18:36:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: 4g1u6gfw.exe; Driver: C:\Users\Niagara\AppData\Local\Temp\kfddqpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 7568b233 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 7568b35e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 75709011 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 756648ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 7570890a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 75708ae0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 75708800 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 75708bca C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 7567fcc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 75686907 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 757090c9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 75708c2a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 757087c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 7567fd59 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 7568b2f4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 75708f8c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2148] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 75708759 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 7568b233 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 7568b35e C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 75709011 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 756648ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 7570890a C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 75708ae0 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 75708800 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 75708bca C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 7567fcc0 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 75686907 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 757090c9 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 75708c2a C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 757087c4 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 7567fd59 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 7568b2f4 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 75708f8c C:\windows\syswow64\kernel32.dll .text C:\ProgramData\ab36fac3-93dd-4505-9add-ad6d38d4b914\plugincontainer.exe[2436] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 75708759 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 7568b233 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 7568b35e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 75709011 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 756648ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 7570890a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 75708ae0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 75708800 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 75708bca C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 7567fcc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 75686907 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 757090c9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 75708c2a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 757087c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 7567fd59 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 7568b2f4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 75708f8c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ab36fac3-93dd-4505-9add-ad6d38d4b914\updater.exe[2708] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 75708759 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 7568b233 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 7568b35e C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 75709011 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 756648ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 7570890a C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 75708ae0 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 75708800 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 75708bca C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 7567fcc0 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 75686907 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 757090c9 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 75708c2a C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 757087c4 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 7567fd59 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 7568b2f4 C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 75708f8c C:\windows\syswow64\kernel32.dll .text C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe[4852] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 75708759 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 7568b233 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 7568b35e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 75709011 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 756648ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 7570890a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 75708ae0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 75708800 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 75708bca C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 7567fcc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 75686907 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 757090c9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 75708c2a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 757087c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 7567fd59 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 7568b2f4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 75708f8c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5872] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 75708759 C:\windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004d70bec] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef87a741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef87a5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef87a5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef87a5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef87a7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef87a6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef87a6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef87a7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef87a7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef87a78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef87a4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef87a5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef87a7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [77890000] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\kernel32.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\KERNELBASE.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77890000] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\RPCRT4.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\USER32.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\GDI32.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\ole32.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77890000] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\MSCTF.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\RpcRtRemote.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\ntmarta.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\CRYPTSP.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\rsaenh.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77890000] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\AVRT.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77890000] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [77890010] IAT C:\windows\system32\AUDIODG.EXE[3324] @ C:\windows\System32\CRYPT32.dll[ntdll.dll!NtClose] [77890010] ---- Processes - GMER 2.1 ---- Library C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\log.dll (*** suspicious ***) @ C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe [4852] (Eshield)(2016-01-28 20:49:09) 0000000067ad0000 Library C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\sqlite.1.dll (*** suspicious ***) @ C:\Users\Niagara\AppData\Local\TNT2\2.0.0.2030\TNT2User.exe [4852] (Search.Us.com)(2016-01-28 20:49:09) 00000000672f0000 ---- Files - GMER 2.1 ---- File C:\Users\Niagara\AppData\Local\Mozilla\Firefox\Profiles\2758wj9a.default\cache2\entries\3F899FFF1186E52F4E104FF8E73A1092D0DE2A4F 409 bytes ---- EOF - GMER 2.1 ----