GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-02-20 00:13:32 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0 232,89GB Running: gmer.exe; Driver: C:\Users\Justyna\AppData\Local\Temp\fxlirfow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 81C878D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81CAC312 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text autochk.exe 004011D1 29 Bytes [E5, 5D, C3, CC, CC, CC, CC, ...] .text autochk.exe 004011F0 28 Bytes [8B, E5, 5D, C3, CC, CC, CC, ...] .text autochk.exe 0040120F 33 Bytes [8B, E5, 5D, C3, CC, CC, CC, ...] .text autochk.exe 00401231 14 Bytes [08, 83, E0, 01, 74, 0C, 8B, ...] .text autochk.exe 00401240 11 Bytes [83, C4, 04, 8B, 45, FC, 8B, ...] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 01486390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 01486640 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 014853D0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 01485300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 014810A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 01482570 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 01481290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 014811C0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 01481000 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 01482510 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 01482160 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 014823A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 014820A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[296] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 01481D10 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 00616390 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 00616640 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 006153D0 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 00615300 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 006110A0 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 00612570 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 00611290 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 006111C0 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 00611000 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 00612510 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 00611D10 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 00612160 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 006123A0 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] WININET.dll!HttpSendRequestA 75D5525A 3 Bytes JMP 006120A0 .text C:\Program Files\ASUS\Eee Docking\Eee Docking.exe[404] WININET.dll!HttpSendRequestA + 4 75D5525E 1 Byte [8A] .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 00486390 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 00486640 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 004853D0 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 00485300 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 004810A0 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 00482570 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 00481290 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 004811C0 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 00481000 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 00482510 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 00481D10 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 00482160 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 004823A0 .text C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe[1016] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 004820A0 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 02086390 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 02086640 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 020853D0 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 02085300 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 020810A0 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 02082570 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 02081290 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 020811C0 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 02081000 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 02082510 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 02081D10 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 02082160 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 020823A0 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1040] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 020820A0 .text C:\Windows\AsScrPro.exe[1244] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 02146390 .text C:\Windows\AsScrPro.exe[1244] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 02146640 .text C:\Windows\AsScrPro.exe[1244] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 021453D0 .text C:\Windows\AsScrPro.exe[1244] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 02145300 .text C:\Windows\AsScrPro.exe[1244] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 021410A0 .text C:\Windows\AsScrPro.exe[1244] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 02142570 .text C:\Windows\AsScrPro.exe[1244] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 02141290 .text C:\Windows\AsScrPro.exe[1244] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 021411C0 .text C:\Windows\AsScrPro.exe[1244] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 02141000 .text C:\Windows\AsScrPro.exe[1244] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 02142510 .text C:\Windows\AsScrPro.exe[1244] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 02141D10 .text C:\Windows\AsScrPro.exe[1244] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 02142160 .text C:\Windows\AsScrPro.exe[1244] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 021423A0 .text C:\Windows\AsScrPro.exe[1244] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 021420A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtCreateFile + 6 777346B6 4 Bytes [28, 80, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtCreateFile + B 777346BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 004D6390 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtMapViewOfSection + 6 77734D16 4 Bytes [28, 83, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtMapViewOfSection + B 77734D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenFile + 6 77734DC6 4 Bytes [68, 80, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenFile + B 77734DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenProcess + 6 77734E76 4 Bytes [A8, 81, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenProcess + B 77734E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenProcessToken + B 77734E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenProcessTokenEx + 6 77734E96 4 Bytes [A8, 82, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenProcessTokenEx + B 77734E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenThread + 6 77734EF6 4 Bytes [68, 81, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenThread + B 77734EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenThreadToken + 6 77734F06 4 Bytes [68, 82, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenThreadToken + B 77734F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtOpenThreadTokenEx + B 77734F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtQueryAttributesFile + 6 77735026 4 Bytes [A8, 80, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtQueryAttributesFile + B 7773502B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 004D6640 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtQueryFullAttributesFile + B 777350DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 004D53D0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtSetInformationFile + 6 77735726 4 Bytes [28, 81, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtSetInformationFile + B 7773572B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtSetInformationThread + 6 77735786 4 Bytes [28, 82, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtSetInformationThread + B 7773578B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtUnmapViewOfSection + 6 77735AA6 4 Bytes [68, 83, 4B, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!NtUnmapViewOfSection + B 77735AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 004D5300 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 004D1D10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 004D2160 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 004D23A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1388] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 004D20A0 .text C:\windows\system32\taskhost.exe[1456] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 01FB6390 .text C:\windows\system32\taskhost.exe[1456] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 01FB6640 .text C:\windows\system32\taskhost.exe[1456] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 01FB53D0 .text C:\windows\system32\taskhost.exe[1456] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 01FB5300 .text C:\windows\system32\taskhost.exe[1456] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 01FB10A0 .text C:\windows\system32\taskhost.exe[1456] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 01FB2570 .text C:\windows\system32\taskhost.exe[1456] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 01FB1290 .text C:\windows\system32\taskhost.exe[1456] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 01FB11C0 .text C:\windows\system32\taskhost.exe[1456] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 01FB1000 .text C:\windows\system32\taskhost.exe[1456] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 01FB2510 .text C:\windows\system32\taskhost.exe[1456] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 01FB1D10 .text C:\windows\system32\taskhost.exe[1456] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 01FB2160 .text C:\windows\system32\taskhost.exe[1456] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 01FB23A0 .text C:\windows\system32\taskhost.exe[1456] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 01FB20A0 .text C:\windows\system32\Dwm.exe[1536] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 00156390 .text C:\windows\system32\Dwm.exe[1536] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 00156640 .text C:\windows\system32\Dwm.exe[1536] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 001553D0 .text C:\windows\system32\Dwm.exe[1536] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 00155300 .text C:\windows\system32\Dwm.exe[1536] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 001510A0 .text C:\windows\system32\Dwm.exe[1536] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 00152570 .text C:\windows\system32\Dwm.exe[1536] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 00151290 .text C:\windows\system32\Dwm.exe[1536] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 001511C0 .text C:\windows\system32\Dwm.exe[1536] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 00151000 .text C:\windows\system32\Dwm.exe[1536] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 00152510 .text C:\windows\system32\Dwm.exe[1536] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 00151D10 .text C:\windows\system32\Dwm.exe[1536] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 00152160 .text C:\windows\system32\Dwm.exe[1536] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 001523A0 .text C:\windows\system32\Dwm.exe[1536] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 001520A0 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 00646390 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 00646640 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 006453D0 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 00645300 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 006410A0 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 00642570 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 00641290 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 006411C0 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 00641000 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 00642510 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 00641D10 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 00642160 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 006423A0 .text C:\Program Files\asus\SystemSetting\WallPaperAgent.exe[1576] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 006420A0 .text C:\Windows\System32\igfxtray.exe[1584] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 01376390 .text C:\Windows\System32\igfxtray.exe[1584] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 01376640 .text C:\Windows\System32\igfxtray.exe[1584] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 013753D0 .text C:\Windows\System32\igfxtray.exe[1584] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 01375300 .text C:\Windows\System32\igfxtray.exe[1584] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 013710A0 .text C:\Windows\System32\igfxtray.exe[1584] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 01372570 .text C:\Windows\System32\igfxtray.exe[1584] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 01371290 .text C:\Windows\System32\igfxtray.exe[1584] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 013711C0 .text C:\Windows\System32\igfxtray.exe[1584] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 01371000 .text C:\Windows\System32\igfxtray.exe[1584] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 01372510 .text C:\Windows\System32\igfxtray.exe[1584] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 01371D10 .text C:\Windows\System32\igfxtray.exe[1584] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 01372160 .text C:\Windows\System32\igfxtray.exe[1584] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 013723A0 .text C:\Windows\System32\igfxtray.exe[1584] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 013720A0 .text C:\Windows\System32\hkcmd.exe[1616] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 014E6390 .text C:\Windows\System32\hkcmd.exe[1616] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 014E6640 .text C:\Windows\System32\hkcmd.exe[1616] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 014E53D0 .text C:\Windows\System32\hkcmd.exe[1616] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 014E5300 .text C:\Windows\System32\hkcmd.exe[1616] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 014E10A0 .text C:\Windows\System32\hkcmd.exe[1616] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 014E2570 .text C:\Windows\System32\hkcmd.exe[1616] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 014E1290 .text C:\Windows\System32\hkcmd.exe[1616] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 014E11C0 .text C:\Windows\System32\hkcmd.exe[1616] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 014E1000 .text C:\Windows\System32\hkcmd.exe[1616] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 014E2510 .text C:\Windows\System32\hkcmd.exe[1616] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 014E1D10 .text C:\Windows\System32\hkcmd.exe[1616] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 014E2160 .text C:\Windows\System32\hkcmd.exe[1616] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 014E23A0 .text C:\Windows\System32\hkcmd.exe[1616] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 014E20A0 .text C:\Windows\System32\igfxpers.exe[1692] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 003B6390 .text C:\Windows\System32\igfxpers.exe[1692] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 003B6640 .text C:\Windows\System32\igfxpers.exe[1692] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 003B53D0 .text C:\Windows\System32\igfxpers.exe[1692] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 003B5300 .text C:\Windows\System32\igfxpers.exe[1692] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 003B10A0 .text C:\Windows\System32\igfxpers.exe[1692] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 003B2570 .text C:\Windows\System32\igfxpers.exe[1692] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 003B1290 .text C:\Windows\System32\igfxpers.exe[1692] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 003B11C0 .text C:\Windows\System32\igfxpers.exe[1692] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 003B1000 .text C:\Windows\System32\igfxpers.exe[1692] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 003B2510 .text C:\Windows\System32\igfxpers.exe[1692] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 003B1D10 .text C:\Windows\System32\igfxpers.exe[1692] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 003B2160 .text C:\Windows\System32\igfxpers.exe[1692] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 003B23A0 .text C:\Windows\System32\igfxpers.exe[1692] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 003B20A0 .text C:\windows\Explorer.exe[1696] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 040A6390 .text C:\windows\Explorer.exe[1696] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 040A6640 .text C:\windows\Explorer.exe[1696] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 040A53D0 .text C:\windows\Explorer.exe[1696] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 040A5300 .text C:\windows\Explorer.exe[1696] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 040A10A0 .text C:\windows\Explorer.exe[1696] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 040A2570 .text C:\windows\Explorer.exe[1696] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 040A1290 .text C:\windows\Explorer.exe[1696] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 040A11C0 .text C:\windows\Explorer.exe[1696] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 040A1000 .text C:\windows\Explorer.exe[1696] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 040A2510 .text C:\windows\Explorer.exe[1696] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 040A2160 .text C:\windows\Explorer.exe[1696] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 040A23A0 .text C:\windows\Explorer.exe[1696] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 040A20A0 .text C:\windows\Explorer.exe[1696] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 040A1D10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtCreateFile + 6 777346B6 4 Bytes [28, CC, 29, 00] {SUB AH, CL; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtCreateFile + B 777346BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 002C6390 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtMapViewOfSection + 6 77734D16 4 Bytes [28, CF, 29, 00] {SUB BH, CL; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtMapViewOfSection + B 77734D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenFile + 6 77734DC6 4 Bytes [68, CC, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenFile + B 77734DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenProcess + 6 77734E76 4 Bytes [A8, CD, 29, 00] {TEST AL, 0xcd; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenProcess + B 77734E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenProcessToken + B 77734E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenProcessTokenEx + 6 77734E96 4 Bytes [A8, CE, 29, 00] {TEST AL, 0xce; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenProcessTokenEx + B 77734E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenThread + 6 77734EF6 4 Bytes [68, CD, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenThread + B 77734EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenThreadToken + 6 77734F06 4 Bytes [68, CE, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenThreadToken + B 77734F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtOpenThreadTokenEx + B 77734F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtQueryAttributesFile + 6 77735026 4 Bytes [A8, CC, 29, 00] {TEST AL, 0xcc; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtQueryAttributesFile + B 7773502B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 002C6640 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtQueryFullAttributesFile + B 777350DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 002C53D0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtSetInformationFile + 6 77735726 4 Bytes [28, CD, 29, 00] {SUB CH, CL; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtSetInformationFile + B 7773572B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtSetInformationThread + 6 77735786 4 Bytes [28, CE, 29, 00] {SUB DH, CL; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtSetInformationThread + B 7773578B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtUnmapViewOfSection + 6 77735AA6 4 Bytes [68, CF, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!NtUnmapViewOfSection + B 77735AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 002C5300 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 002C1D10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 002C2160 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 002C23A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1996] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 002C20A0 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 01376390 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 01376640 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 013753D0 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 01375300 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 013710A0 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 01372570 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 01371290 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 013711C0 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 01371000 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 01372510 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 01371D10 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 01372160 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 013723A0 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2004] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 013720A0 .text C:\Windows\system32\igfxsrvc.exe[2104] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 00566390 .text C:\Windows\system32\igfxsrvc.exe[2104] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 00566640 .text C:\Windows\system32\igfxsrvc.exe[2104] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 005653D0 .text C:\Windows\system32\igfxsrvc.exe[2104] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 00565300 .text C:\Windows\system32\igfxsrvc.exe[2104] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 005610A0 .text C:\Windows\system32\igfxsrvc.exe[2104] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 00562570 .text C:\Windows\system32\igfxsrvc.exe[2104] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 00561290 .text C:\Windows\system32\igfxsrvc.exe[2104] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 005611C0 .text C:\Windows\system32\igfxsrvc.exe[2104] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 00561000 .text C:\Windows\system32\igfxsrvc.exe[2104] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 00562510 .text C:\Windows\system32\igfxsrvc.exe[2104] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 00561D10 .text C:\Windows\system32\igfxsrvc.exe[2104] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 00562160 .text C:\Windows\system32\igfxsrvc.exe[2104] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 005623A0 .text C:\Windows\system32\igfxsrvc.exe[2104] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 005620A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 00336390 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 00336640 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 003353D0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 00335300 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 003310A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 00332570 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 00331290 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 003311C0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 00331000 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 00332510 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 00332160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 003323A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 003320A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2176] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 00331D10 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 019F6390 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 019F6640 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 019F53D0 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 019F5300 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 019F10A0 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 019F2570 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 019F1290 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 019F11C0 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 019F1000 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 019F2510 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 019F2160 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 019F23A0 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 019F20A0 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2248] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 019F1D10 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 04FF6390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 04FF6640 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 04FF53D0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 04FF5300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 04FF10A0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 04FF2570 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 04FF1290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 04FF11C0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 04FF1000 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 04FF2510 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 04FF2160 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 04FF23A0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 04FF20A0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2288] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 04FF1D10 .text C:\Program Files\Skype\Phone\Skype.exe[2892] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 0CEF6390 .text C:\Program Files\Skype\Phone\Skype.exe[2892] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 0CEF6640 .text C:\Program Files\Skype\Phone\Skype.exe[2892] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 0CEF53D0 .text C:\Program Files\Skype\Phone\Skype.exe[2892] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 0CEF5300 .text C:\Program Files\Skype\Phone\Skype.exe[2892] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 0CEF10A0 .text C:\Program Files\Skype\Phone\Skype.exe[2892] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 0CEF2570 .text C:\Program Files\Skype\Phone\Skype.exe[2892] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 0CEF1290 .text C:\Program Files\Skype\Phone\Skype.exe[2892] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 0CEF11C0 .text C:\Program Files\Skype\Phone\Skype.exe[2892] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 0CEF1000 .text C:\Program Files\Skype\Phone\Skype.exe[2892] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 0CEF2510 .text C:\Program Files\Skype\Phone\Skype.exe[2892] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 0CEF2160 .text C:\Program Files\Skype\Phone\Skype.exe[2892] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 0CEF23A0 .text C:\Program Files\Skype\Phone\Skype.exe[2892] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 0CEF20A0 .text C:\Program Files\Skype\Phone\Skype.exe[2892] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 0CEF1D10 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 01986390 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 01986640 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 019853D0 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 01985300 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] kernel32.dll!CopyFileW 76518CF7 5 Bytes JMP 019810A0 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] kernel32.dll!MoveFileW 7651A1DB 5 Bytes JMP 01982570 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] kernel32.dll!CreateFileW 76530B3D 5 Bytes JMP 01981290 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] kernel32.dll!CreateFileA 765328DC 5 Bytes JMP 019811C0 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] kernel32.dll!CopyFileA 76547CCC 5 Bytes JMP 01981000 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] kernel32.dll!MoveFileA 7656AD31 5 Bytes JMP 01982510 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 01981D10 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 01982160 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 019823A0 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[2936] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 019820A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 00076390 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 00076640 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 000753D0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 00075300 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 00071D10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 00072160 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 000723A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3696] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 000720A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtCreateFile + 6 777346B6 4 Bytes [28, 1C, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtCreateFile + B 777346BB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtEnumerateValueKey 77734A00 5 Bytes JMP 002A6390 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtMapViewOfSection + 6 77734D16 4 Bytes [28, 1F, 28, 00] {SUB [EDI], BL; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtMapViewOfSection + B 77734D1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenFile + 6 77734DC6 4 Bytes [68, 1C, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenFile + B 77734DCB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcess + 6 77734E76 4 Bytes [A8, 1D, 28, 00] {TEST AL, 0x1d; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcess + B 77734E7B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcessToken + B 77734E8B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcessTokenEx + 6 77734E96 4 Bytes [A8, 1E, 28, 00] {TEST AL, 0x1e; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenProcessTokenEx + B 77734E9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThread + 6 77734EF6 4 Bytes [68, 1D, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThread + B 77734EFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThreadToken + 6 77734F06 4 Bytes [68, 1E, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThreadToken + B 77734F0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtOpenThreadTokenEx + B 77734F1B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryAttributesFile + 6 77735026 4 Bytes [A8, 1C, 28, 00] {TEST AL, 0x1c; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryAttributesFile + B 7773502B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryDirectoryFile 77735080 5 Bytes JMP 002A6640 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtQueryFullAttributesFile + B 777350DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtResumeThread 77735590 5 Bytes JMP 002A53D0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationFile + 6 77735726 4 Bytes [28, 1D, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationFile + B 7773572B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationThread + 6 77735786 4 Bytes [28, 1E, 28, 00] {SUB [ESI], BL; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtSetInformationThread + B 7773578B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtUnmapViewOfSection + 6 77735AA6 4 Bytes [68, 1F, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!NtUnmapViewOfSection + B 77735AAB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] ntdll.dll!LdrLoadDll 7774F425 5 Bytes JMP 002A5300 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] WS2_32.dll!GetAddrInfoW 75CB60F5 5 Bytes JMP 002A1D10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] WININET.dll!HttpSendRequestW 75D2632D 5 Bytes JMP 002A2160 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] WININET.dll!InternetWriteFile 75D3F6C6 5 Bytes JMP 002A23A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3932] WININET.dll!HttpSendRequestA 75D5525A 5 Bytes JMP 002A20A0 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000043 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d42a5e Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d42a5e (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 ---- EOF - GMER 2.1 ----