GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-13 14:24:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000065 PLEXTOR_ rev.1.05 119,24GB Running: nhn60ekq.exe; Driver: C:\Users\Mari\AppData\Local\Temp\fwlciaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074df1401 2 bytes JMP 7629b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074df1419 2 bytes JMP 7629b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074df1431 2 bytes JMP 76318ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074df144a 2 bytes CALL 762748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074df14dd 2 bytes JMP 763187a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074df14f5 2 bytes JMP 76318978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074df150d 2 bytes JMP 76318698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074df1525 2 bytes JMP 76318a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074df153d 2 bytes JMP 7628fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074df1555 2 bytes JMP 762968ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074df156d 2 bytes JMP 76318f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074df1585 2 bytes JMP 76318ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074df159d 2 bytes JMP 7631865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074df15b5 2 bytes JMP 7628fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074df15cd 2 bytes JMP 7629b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074df16b2 2 bytes JMP 76318e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074df16bd 2 bytes JMP 763185f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskhost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\taskhost.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\taskhost.exe[3552] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\Dwm.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\Dwm.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\Dwm.exe[3616] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\Explorer.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\Explorer.EXE[3640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\Explorer.EXE[3640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3920] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074df1401 2 bytes JMP 7629b21b C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074df1419 2 bytes JMP 7629b346 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074df1431 2 bytes JMP 76318ea9 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074df144a 2 bytes CALL 762748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074df14dd 2 bytes JMP 763187a2 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074df14f5 2 bytes JMP 76318978 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074df150d 2 bytes JMP 76318698 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074df1525 2 bytes JMP 76318a62 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074df153d 2 bytes JMP 7628fca8 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074df1555 2 bytes JMP 762968ef C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074df156d 2 bytes JMP 76318f61 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074df1585 2 bytes JMP 76318ac2 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074df159d 2 bytes JMP 7631865c C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074df15b5 2 bytes JMP 7628fd41 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074df15cd 2 bytes JMP 7629b2dc C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074df16b2 2 bytes JMP 76318e24 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074df16bd 2 bytes JMP 763185f1 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000705111a8 2 bytes [51, 70] .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007051127d 2 bytes CALL 762714b9 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 0000000070511310 2 bytes CALL 762714b9 C:\Windows\syswow64\kernel32.dll .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000705113a8 2 bytes [51, 70] .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000070511422 2 bytes [51, 70] .text F:\Skype\Phone\Skype.exe[1792] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000070511498 2 bytes [51, 70] .text C:\Users\Mari\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1780] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Users\Mari\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1780] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Users\Mari\AppData\Roaming\Spotify\SpotifyWebHelper.exe[1780] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[1740] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[1740] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTsysTray8.exe[1740] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3396] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3396] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[3440] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[3440] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe[3440] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3248] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3248] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\XFastUSB\XFastUsb.exe[3248] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe[1572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe[3492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text F:\AVG\AVG2015\avgui.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text F:\AVG\AVG2015\avgui.exe[3996] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text F:\AVG\AVG2015\avgui.exe[3996] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074df1401 2 bytes JMP 7629b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074df1419 2 bytes JMP 7629b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074df1431 2 bytes JMP 76318ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074df144a 2 bytes CALL 762748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074df14dd 2 bytes JMP 763187a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074df14f5 2 bytes JMP 76318978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074df150d 2 bytes JMP 76318698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074df1525 2 bytes JMP 76318a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074df153d 2 bytes JMP 7628fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074df1555 2 bytes JMP 762968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074df156d 2 bytes JMP 76318f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074df1585 2 bytes JMP 76318ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074df159d 2 bytes JMP 7631865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074df15b5 2 bytes JMP 7628fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074df15cd 2 bytes JMP 7629b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074df16b2 2 bytes JMP 76318e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe[3768] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074df16bd 2 bytes JMP 763185f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\conhost.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\conhost.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\conhost.exe[3864] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\taskeng.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\taskeng.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\taskeng.exe[4116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\taskeng.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\taskeng.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\taskeng.exe[4276] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Users\Mari\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Users\Mari\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe[4464] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Users\Mari\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe[4464] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Windows\SysWOW64\ctfmon.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Windows\SysWOW64\ctfmon.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Windows\SysWOW64\ctfmon.exe[4568] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\taskhost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\taskhost.exe[4716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\taskhost.exe[4716] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[4160] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[4160] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe[4160] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\SearchIndexer.exe[3756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Windows\system32\svchost.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000176d00128 .text C:\Windows\system32\svchost.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000176d00018 .text C:\Windows\system32\svchost.exe[5832] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076d000a0 .text C:\Windows\system32\SearchProtocolHost.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\SearchProtocolHost.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\SearchProtocolHost.exe[5864] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4920] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4920] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1140] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1140] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3680] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6064] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 .text C:\Windows\system32\sppsvc.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d61530 5 bytes JMP 0000000076ec0128 .text C:\Windows\system32\sppsvc.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d61650 5 bytes JMP 0000000076ec0018 .text C:\Windows\system32\sppsvc.exe[1840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076b0db80 5 bytes JMP 0000000076ec00a0 .text G:\Pobrane z Chrome #2\nhn60ekq.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc50 5 bytes JMP 0000000170541460 .text G:\Pobrane z Chrome #2\nhn60ekq.exe[1680] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076f0fe14 5 bytes JMP 0000000170541120 .text G:\Pobrane z Chrome #2\nhn60ekq.exe[1680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076283bbb 5 bytes JMP 0000000170541260 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x25 0x1C 0xBA 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF8 0xF6 0x81 0xCA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x25 0x1C 0xBA 0xAD ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF8 0xF6 0x81 0xCA ... ---- Files - GMER 2.1 ---- File C:\Users\Mari\AppData\Local\Avg2015\temp\avg-1063b568-e44b-4612-b9d5-b15af8124e79.tmp (size mismatch) 102400/0 bytes executable ---- EOF - GMER 2.1 ----