GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-31 13:51:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 ATA_____ rev.CC44 931,51GB Running: zl3ecti4.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\kgloapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\services.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[460] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1664] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[1664] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskhost.exe[1664] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[1664] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\svchost.exe[1704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[1800] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1228] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe[1736] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe[2112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe[2152] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\AsusFanControlService\1.02.00\AsusFanControlService.exe[2176] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2692] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Windows\Explorer.EXE[2736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\Explorer.EXE[2736] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[2736] C:\Windows\system32\WS2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[2736] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[2736] C:\Windows\system32\WS2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074d31a22 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074d31ad0 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074d31b08 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074d31bba 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074d31bda 2 bytes [D3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077431465 2 bytes [43, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774314bb 2 bytes [43, 77] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3064] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\conhost.exe[2204] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe[3136] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[3256] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3464] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\rundll32.exe[3464] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\rundll32.exe[3464] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\rundll32.exe[3464] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\rundll32.exe[3552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3552] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\rundll32.exe[3552] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\rundll32.exe[3552] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\rundll32.exe[3552] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 0000000076b330aa 7 bytes JMP 00000001004e0095 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000076b36bd8 7 bytes JMP 00000001004e002d .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000076b37142 7 bytes JMP 00000001004e00c9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 0000000076b3cc3a 7 bytes JMP 00000001004e0061 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076179d0b 5 bytes JMP 000000011000a4d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076179d4e 5 bytes JMP 000000011000a630 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007083451e 5 bytes JMP 000000011000ab40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070834b6d 5 bytes JMP 000000011000abb0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070834bf2 5 bytes JMP 000000011000ac90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070834f0f 5 bytes JMP 000000011000ac50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070834f7b 5 bytes JMP 000000011000ac10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070839054 5 bytes JMP 000000011000ad10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007083adf9 5 bytes JMP 000000011000abe0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000708552e8 5 bytes JMP 000000011000acd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007085535f 5 bytes JMP 000000011000acf0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000708559cc 5 bytes JMP 000000011000ae40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070855a6a 5 bytes JMP 000000011000aec0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070855ad7 5 bytes JMP 000000011000af00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070855b5b 5 bytes JMP 000000011000af40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070855bba 5 bytes JMP 000000011000af80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070855bee 5 bytes JMP 000000011000b000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070855c22 5 bytes JMP 000000011000b060 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070855c67 5 bytes JMP 000000011000b0d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006f757e3d 3 bytes JMP 000000011000a690 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate + 4 000000006f757e41 1 byte [A0] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006f78de69 5 bytes JMP 000000011000a770 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006f79d2c5 5 bytes JMP 000000011000a8a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006f79d371 5 bytes JMP 000000011000a990 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3652] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006f79d429 5 bytes JMP 000000011000aa80 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076179d0b 5 bytes JMP 000000011000a4d0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076179d4e 5 bytes JMP 000000011000a630 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007083451e 5 bytes JMP 000000011000ab40 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070834b6d 5 bytes JMP 000000011000abb0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070834bf2 5 bytes JMP 000000011000ac90 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070834f0f 5 bytes JMP 000000011000ac50 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070834f7b 5 bytes JMP 000000011000ac10 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070839054 5 bytes JMP 000000011000ad10 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007083adf9 5 bytes JMP 000000011000abe0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000708552e8 5 bytes JMP 000000011000acd0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007085535f 5 bytes JMP 000000011000acf0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000708559cc 5 bytes JMP 000000011000ae40 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070855a6a 5 bytes JMP 000000011000aec0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070855ad7 5 bytes JMP 000000011000af00 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070855b5b 5 bytes JMP 000000011000af40 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070855bba 5 bytes JMP 000000011000af80 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070855bee 5 bytes JMP 000000011000b000 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070855c22 5 bytes JMP 000000011000b060 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070855c67 5 bytes JMP 000000011000b0d0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006f757e3d 3 bytes JMP 000000011000a690 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate + 4 000000006f757e41 1 byte [A0] .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006f78de69 5 bytes JMP 000000011000a770 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006f79d2c5 5 bytes JMP 000000011000a8a0 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006f79d371 5 bytes JMP 000000011000a990 .text C:\Windows\SysWOW64\HsMgr.exe[3668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006f79d429 5 bytes JMP 000000011000aa80 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutClose 000007fefa2236ac 5 bytes JMP 000007fefd4801f0 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader 000007fefa223770 5 bytes JMP 000007fefd480298 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutOpen 000007fefa2238d0 5 bytes JMP 000007fefd4801b8 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader 000007fefa223ca4 5 bytes JMP 000007fefd480260 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutWrite 000007fefa223d40 5 bytes JMP 000007fefd480228 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInOpen 000007fefa227fe0 7 bytes JMP 000007fefd480378 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefa22a38c 5 bytes JMP 000007fefd4802d0 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutGetVolume 000007fefa2449f0 5 bytes JMP 000007fefd480308 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveOutSetVolume 000007fefa244ab0 5 bytes JMP 000007fefd480340 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInClose 000007fefa2452e0 5 bytes JMP 000007fefd4803b0 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInPrepareHeader 000007fefa2453c0 5 bytes JMP 000007fefd480490 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInUnprepareHeader 000007fefa245454 5 bytes JMP 000007fefd4804c8 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInAddBuffer 000007fefa245514 5 bytes JMP 000007fefd480500 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInStart 000007fefa2455a4 6 bytes JMP 000007fefd4803e8 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInStop 000007fefa2455e4 6 bytes JMP 000007fefd480420 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInReset 000007fefa245624 5 bytes JMP 000007fefd480458 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\WINMM.dll!waveInGetPosition 000007fefa24567c 5 bytes JMP 000007fefd480538 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\DSOUND.dll!DirectSoundCreate8 000007fef0986944 7 bytes JMP 000007fefd480180 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\DSOUND.dll!DirectSoundCreate 000007fef09a5a84 7 bytes JMP 000007fefd480148 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate 000007fef09a5b90 7 bytes JMP 000007fefd480570 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate8 000007fef09a5c94 7 bytes JMP 000007fefd4805a8 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\DSOUND.dll!DirectSoundFullDuplexCreate 000007fef09a5da8 5 bytes JMP 000007fefd4805e0 .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system\HsMgr64.exe[3676] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text D:\Rainlendar2\Rainlendar2.exe[3696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text D:\Rainlendar2\Rainlendar2.exe[3696] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text D:\Rainlendar2\Rainlendar2.exe[3696] C:\Windows\system32\WS2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text D:\Rainlendar2\Rainlendar2.exe[3696] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text D:\Rainlendar2\Rainlendar2.exe[3696] C:\Windows\system32\WS2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\SearchIndexer.exe[3908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076179d0b 5 bytes JMP 000000011000a4d0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076179d4e 5 bytes JMP 000000011000a630 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077431465 2 bytes [43, 77] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774314bb 2 bytes [43, 77] .text ... * 2 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007083451e 5 bytes JMP 000000011000ab40 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070834b6d 5 bytes JMP 000000011000abb0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070834bf2 5 bytes JMP 000000011000ac90 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070834f0f 5 bytes JMP 000000011000ac50 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070834f7b 5 bytes JMP 000000011000ac10 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070839054 5 bytes JMP 000000011000ad10 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007083adf9 5 bytes JMP 000000011000abe0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000708552e8 5 bytes JMP 000000011000acd0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007085535f 5 bytes JMP 000000011000acf0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000708559cc 5 bytes JMP 000000011000ae40 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070855a6a 5 bytes JMP 000000011000aec0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070855ad7 5 bytes JMP 000000011000af00 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070855b5b 5 bytes JMP 000000011000af40 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070855bba 5 bytes JMP 000000011000af80 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070855bee 5 bytes JMP 000000011000b000 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070855c22 5 bytes JMP 000000011000b060 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070855c67 5 bytes JMP 000000011000b0d0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006f757e3d 3 bytes JMP 000000011000a690 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate + 4 000000006f757e41 1 byte [A0] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006f78de69 5 bytes JMP 000000011000a770 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006f79d2c5 5 bytes JMP 000000011000a8a0 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006f79d371 5 bytes JMP 000000011000a990 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4532] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006f79d429 5 bytes JMP 000000011000aa80 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076179d0b 5 bytes JMP 000000010065a4d0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076179d4e 5 bytes JMP 000000010065a630 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007083451e 5 bytes JMP 000000010065ab40 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070834b6d 5 bytes JMP 000000010065abb0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070834bf2 5 bytes JMP 000000010065ac90 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070834f0f 5 bytes JMP 000000010065ac50 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070834f7b 5 bytes JMP 000000010065ac10 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070839054 5 bytes JMP 000000010065ad10 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007083adf9 5 bytes JMP 000000010065abe0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000708552e8 5 bytes JMP 000000010065acd0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007085535f 5 bytes JMP 000000010065acf0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000708559cc 5 bytes JMP 000000010065ae40 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070855a6a 5 bytes JMP 000000010065aec0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070855ad7 5 bytes JMP 000000010065af00 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070855b5b 5 bytes JMP 000000010065af40 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070855bba 5 bytes JMP 000000010065af80 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070855bee 5 bytes JMP 000000010065b000 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070855c22 5 bytes JMP 000000010065b060 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070855c67 5 bytes JMP 000000010065b0d0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006f757e3d 5 bytes JMP 000000010065a690 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006f78de69 5 bytes JMP 000000010065a770 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006f79d2c5 5 bytes JMP 000000010065a8a0 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006f79d371 5 bytes JMP 000000010065a990 .text C:\Program Files (x86)\Gaming Mouse\hid.exe[4600] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006f79d429 5 bytes JMP 000000010065aa80 .text C:\Program Files\AVAST Software\Avast\avastui.exe[4608] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076179d0b 5 bytes JMP 000000011000a4d0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076179d4e 5 bytes JMP 000000011000a630 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007083451e 5 bytes JMP 000000011000ab40 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070834b6d 5 bytes JMP 000000011000abb0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070834bf2 5 bytes JMP 000000011000ac90 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070834f0f 5 bytes JMP 000000011000ac50 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070834f7b 5 bytes JMP 000000011000ac10 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070839054 5 bytes JMP 000000011000ad10 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007083adf9 5 bytes JMP 000000011000abe0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000708552e8 5 bytes JMP 000000011000acd0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007085535f 5 bytes JMP 000000011000acf0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000708559cc 5 bytes JMP 000000011000ae40 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070855a6a 5 bytes JMP 000000011000aec0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070855ad7 5 bytes JMP 000000011000af00 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070855b5b 5 bytes JMP 000000011000af40 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070855bba 5 bytes JMP 000000011000af80 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070855bee 5 bytes JMP 000000011000b000 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070855c22 5 bytes JMP 000000011000b060 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070855c67 5 bytes JMP 000000011000b0d0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006f757e3d 3 bytes JMP 000000011000a690 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate + 4 000000006f757e41 1 byte [A0] .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006f78de69 5 bytes JMP 000000011000a770 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006f79d2c5 5 bytes JMP 000000011000a8a0 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006f79d371 5 bytes JMP 000000011000a990 .text C:\Program Files (x86)\Gaming Mouse\trayicon.exe[4668] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006f79d429 5 bytes JMP 000000011000aa80 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\syswow64\ole32.DLL!CoCreateInstance 0000000076179d0b 5 bytes JMP 000000011000a4d0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\syswow64\ole32.DLL!CoCreateInstanceEx 0000000076179d4e 5 bytes JMP 000000011000a630 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007083451e 5 bytes JMP 000000011000ab40 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070834b6d 5 bytes JMP 000000011000abb0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070834bf2 5 bytes JMP 000000011000ac90 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070834f0f 5 bytes JMP 000000011000ac50 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070834f7b 5 bytes JMP 000000011000ac10 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070839054 5 bytes JMP 000000011000ad10 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007083adf9 5 bytes JMP 000000011000abe0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000708552e8 5 bytes JMP 000000011000acd0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007085535f 5 bytes JMP 000000011000acf0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000708559cc 5 bytes JMP 000000011000ae40 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070855a6a 5 bytes JMP 000000011000aec0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070855ad7 5 bytes JMP 000000011000af00 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070855b5b 5 bytes JMP 000000011000af40 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070855bba 5 bytes JMP 000000011000af80 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070855bee 5 bytes JMP 000000011000b000 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070855c22 5 bytes JMP 000000011000b060 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070855c67 5 bytes JMP 000000011000b0d0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006f757e3d 3 bytes JMP 000000011000a690 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate + 4 000000006f757e41 1 byte [A0] .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006f78de69 5 bytes JMP 000000011000a770 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006f79d2c5 5 bytes JMP 000000011000a8a0 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006f79d371 5 bytes JMP 000000011000a990 .text D:\Ad Muncher\AdMunch.exe[4692] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006f79d429 5 bytes JMP 000000011000aa80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076179d0b 5 bytes JMP 000000010030a4d0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076179d4e 5 bytes JMP 000000010030a630 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077431465 2 bytes [43, 77] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774314bb 2 bytes [43, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 000000007083451e 5 bytes JMP 000000010030ab40 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070834b6d 5 bytes JMP 000000010030abb0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070834bf2 5 bytes JMP 000000010030ac90 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070834f0f 5 bytes JMP 000000010030ac50 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070834f7b 5 bytes JMP 000000010030ac10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070839054 5 bytes JMP 000000010030ad10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 000000007083adf9 5 bytes JMP 000000010030abe0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 00000000708552e8 5 bytes JMP 000000010030acd0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 000000007085535f 5 bytes JMP 000000010030acf0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInClose 00000000708559cc 5 bytes JMP 000000010030ae40 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070855a6a 5 bytes JMP 000000010030aec0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070855ad7 5 bytes JMP 000000010030af00 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070855b5b 5 bytes JMP 000000010030af40 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070855bba 5 bytes JMP 000000010030af80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070855bee 5 bytes JMP 000000010030b000 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070855c22 5 bytes JMP 000000010030b060 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070855c67 5 bytes JMP 000000010030b0d0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006f757e3d 5 bytes JMP 000000010030a690 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006f78de69 5 bytes JMP 000000010030a770 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006f79d2c5 5 bytes JMP 000000010030a8a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006f79d371 5 bytes JMP 000000010030a990 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[408] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006f79d429 5 bytes JMP 000000010030aa80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe[2536] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1460] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] .text C:\totalcmd\TOTALCMD64.EXE[4516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\totalcmd\TOTALCMD64.EXE[4516] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd6a45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\totalcmd\TOTALCMD64.EXE[4516] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd6a9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\totalcmd\TOTALCMD64.EXE[4516] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd6ce0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\totalcmd\TOTALCMD64.EXE[4516] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd6ce450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text D:\FRST\Gmer\zl3ecti4.exe[536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007503a2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3992:4312] 000007fefb032a7c Thread C:\Windows\System32\svchost.exe [3596:4848] 000007feee489688 ---- EOF - GMER 2.1 ----