GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-20 13:15:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: korhysn7.exe; Driver: C:\Users\edek\AppData\Local\Temp\aftcyaog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000001777c00a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 00000001777c0018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000001777c03d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000001777c01b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 00000001777c0128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 00000001777c0238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000001777c02c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 00000001777c0348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 00000001777c0458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000001777c04e0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000001777c00a0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 00000001777c0018 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000001777c03d0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000001777c01b0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 00000001777c0128 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 00000001777c0238 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000001777c02c0 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 00000001777c0348 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 00000001777c0458 .text C:\Windows\system32\svchost.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000001777c04e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000001777c00a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 00000001777c0018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000001777c03d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000001777c01b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 00000001777c0128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 00000001777c0238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000001777c02c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 00000001777c0348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 00000001777c0458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000001777c04e0 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000001777c00a0 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 00000001777c0018 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000001777c03d0 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000001777c01b0 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 00000001777c0128 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 00000001777c0238 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000001777c02c0 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 00000001777c0348 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 00000001777c0458 .text C:\Windows\system32\svchost.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000001777c04e0 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\system32\SearchIndexer.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\system32\taskhost.exe[3944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\system32\Dwm.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\Explorer.EXE[4200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\system32\conhost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\servicing\TrustedInstaller.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc90 5 bytes JMP 00000001706822f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe54 5 bytes JMP 0000000170682180 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000779cfee8 5 bytes JMP 00000001706825b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000779cffb4 5 bytes JMP 0000000170682590 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d00a8 5 bytes JMP 00000001706824b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779d07dc 5 bytes JMP 00000001706825d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000779d08b4 5 bytes JMP 0000000170682610 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779d095c 5 bytes JMP 0000000170682650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000779d10b8 5 bytes JMP 00000001706825f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000779d1130 1 byte JMP 0000000170682630 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 2 00000000779d1132 3 bytes {JMP 0xfffffffff8cb1500} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2604] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076132ab1 5 bytes JMP 000000010090f046 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc90 5 bytes JMP 00000001706822f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe54 5 bytes JMP 0000000170682180 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000779cfee8 5 bytes JMP 00000001706825b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000779cffb4 5 bytes JMP 0000000170682590 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d00a8 5 bytes JMP 00000001706824b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779d07dc 5 bytes JMP 00000001706825d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000779d08b4 5 bytes JMP 0000000170682610 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779d095c 5 bytes JMP 0000000170682650 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000779d10b8 5 bytes JMP 00000001706825f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000779d1130 1 byte JMP 0000000170682630 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5476] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 2 00000000779d1132 3 bytes {JMP 0xfffffffff8cb1500} .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc90 5 bytes JMP 00000001706822f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe54 5 bytes JMP 0000000170682180 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000779cfee8 5 bytes JMP 00000001706825b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000779cffb4 5 bytes JMP 0000000170682590 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d00a8 5 bytes JMP 00000001706824b0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779d07dc 5 bytes JMP 00000001706825d0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000779d08b4 5 bytes JMP 0000000170682610 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779d095c 5 bytes JMP 0000000170682650 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000779d10b8 5 bytes JMP 00000001706825f0 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000779d1130 1 byte JMP 0000000170682630 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 2 00000000779d1132 3 bytes {JMP 0xfffffffff8cb1500} .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 774db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 774db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 77558fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 774b489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 775588c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 77558aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 775587ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 77558b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 774cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 774d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 77559089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 77558bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 7755877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 774cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 774db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 77558f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Av\avgui.exe[5568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 77558713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc90 5 bytes JMP 00000001706822f0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe54 5 bytes JMP 0000000170682180 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000779cfee8 5 bytes JMP 00000001706825b0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000779cffb4 5 bytes JMP 0000000170682590 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d00a8 5 bytes JMP 00000001706824b0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779d07dc 5 bytes JMP 00000001706825d0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000779d08b4 5 bytes JMP 0000000170682610 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779d095c 5 bytes JMP 0000000170682650 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000779d10b8 5 bytes JMP 00000001706825f0 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000779d1130 1 byte JMP 0000000170682630 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 2 00000000779d1132 3 bytes {JMP 0xfffffffff8cb1500} .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 774db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 774db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 77558fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 774b489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 775588c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 77558aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 775587ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 77558b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 774cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 774d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 77559089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 77558bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 7755877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 774cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 774db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 77558f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 77558713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc90 5 bytes JMP 00000001706822f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe54 5 bytes JMP 0000000170682180 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000779cfee8 5 bytes JMP 00000001706825b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000779cffb4 5 bytes JMP 0000000170682590 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d00a8 5 bytes JMP 00000001706824b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779d07dc 5 bytes JMP 00000001706825d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000779d08b4 5 bytes JMP 0000000170682610 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779d095c 5 bytes JMP 0000000170682650 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000779d10b8 5 bytes JMP 00000001706825f0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000779d1130 1 byte JMP 0000000170682630 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 2 00000000779d1132 3 bytes {JMP 0xfffffffff8cb1500} .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075561401 2 bytes JMP 774db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075561419 2 bytes JMP 774db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075561431 2 bytes JMP 77558fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007556144a 2 bytes CALL 774b489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755614dd 2 bytes JMP 775588c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755614f5 2 bytes JMP 77558aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007556150d 2 bytes JMP 775587ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075561525 2 bytes JMP 77558b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007556153d 2 bytes JMP 774cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075561555 2 bytes JMP 774d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007556156d 2 bytes JMP 77559089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075561585 2 bytes JMP 77558bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007556159d 2 bytes JMP 7755877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755615b5 2 bytes JMP 774cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755615cd 2 bytes JMP 774db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755616b2 2 bytes JMP 77558f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755616bd 2 bytes JMP 77558713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc90 5 bytes JMP 00000001706822f0 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe54 5 bytes JMP 0000000170682180 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000779cfee8 5 bytes JMP 00000001706825b0 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000779cffb4 5 bytes JMP 0000000170682590 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d00a8 5 bytes JMP 00000001706824b0 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779d07dc 5 bytes JMP 00000001706825d0 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000779d08b4 5 bytes JMP 0000000170682610 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779d095c 5 bytes JMP 0000000170682650 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000779d10b8 5 bytes JMP 00000001706825f0 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000779d1130 1 byte JMP 0000000170682630 .text C:\Windows\SysWOW64\ctfmon.exe[5916] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 2 00000000779d1132 3 bytes {JMP 0xfffffffff8cb1500} .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000001777c00a0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 00000001777c0018 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000001777c03d0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000001777c01b0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 00000001777c0128 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 00000001777c0238 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000001777c02c0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 00000001777c0348 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 00000001777c0458 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000001777c04e0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000779cfc90 5 bytes JMP 00000001706822f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000779cfe54 5 bytes JMP 0000000170682180 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000779cfee8 5 bytes JMP 00000001706825b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000779cffb4 5 bytes JMP 0000000170682590 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d00a8 5 bytes JMP 00000001706824b0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000779d07dc 5 bytes JMP 00000001706825d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000779d08b4 5 bytes JMP 0000000170682610 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000779d095c 5 bytes JMP 0000000170682650 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000779d10b8 5 bytes JMP 00000001706825f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000779d1130 1 byte JMP 0000000170682630 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2332] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore + 2 00000000779d1132 3 bytes {JMP 0xfffffffff8cb1500} .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\system32\taskeng.exe[4272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\notepad.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007781dc30 5 bytes JMP 00000000779800a0 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007781dd50 5 bytes JMP 0000000077980018 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007781ddb0 5 bytes JMP 00000000779803d0 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007781de30 5 bytes JMP 00000000779801b0 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007781ded0 5 bytes JMP 0000000077980128 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007781e380 5 bytes JMP 0000000077980238 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007781e410 5 bytes JMP 00000000779802c0 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007781e480 5 bytes JMP 0000000077980348 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007781e940 5 bytes JMP 0000000077980458 .text C:\Windows\system32\taskeng.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007781e990 5 bytes JMP 00000000779804e0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1772:3776] 000007fefa5a2af8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1772:3692] 000007feebde5648 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\programy do instalki\\x2666AVG Internet Security 2013 Build 2667 Build 5738 [PL][Key][Najnowsza wersja 2013] (toni2010)\AVG Internet Security 2013 [PL] [+key]\AVG Internet Security 2013 [PL] [+key]\avg_isct_x86_all_2013_2667a5738.exe 1 ---- EOF - GMER 2.1 ----