GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-01 08:15:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: 32j957dp.exe; Driver: C:\Users\Kasia\AppData\Local\Temp\fwrcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef8c5dc88 5 bytes JMP 000007fff8c300d8 .text C:\Windows\system32\Dwm.exe[1552] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef8c5de10 5 bytes JMP 000007fff8c30110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d1f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d49a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d59630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d787e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefef37490 11 bytes JMP 000007fffcde0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1596] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefef4bf00 7 bytes JMP 000007fffcde0260 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefef37490 11 bytes JMP 000007fffcde0228 .text C:\Windows\System32\igfxpers.exe[2076] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefef4bf00 7 bytes JMP 000007fffcde0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d1f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d49a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d59630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d787e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefef37490 11 bytes JMP 000007fffcde0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2136] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefef4bf00 7 bytes JMP 000007fffcde0260 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d1f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d49a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d59630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d787e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefef37490 11 bytes JMP 000007fffcde0228 .text C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe[2204] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefef4bf00 7 bytes JMP 000007fffcde0260 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d1f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d49a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d59630 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d787e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2236] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000074c83f1c 5 bytes JMP 00000001043a3730 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076bf8e4e 5 bytes JMP 00000001043a2ee0 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076c00dfb 5 bytes JMP 00000001043a2e70 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076c02175 5 bytes JMP 00000001043a2ec0 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000076c03208 5 bytes JMP 00000001043a2f30 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076c07b3b 5 bytes JMP 00000001043a2dd0 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000076c1f170 5 bytes JMP 00000001043a2da0 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 0000000076c390fc 1 byte JMP 00000001043a2e00 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow + 2 0000000076c390fe 3 bytes {JMP 0xffffffff8d769d04} .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 0000000076c57d97 5 bytes JMP 00000001043a2e20 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\ole32.dll!DoDragDrop 0000000074e9a827 5 bytes JMP 00000001043a2d80 .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74] .text E:\gramy\Origin\Origin.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d1f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d49a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d59630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d787e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2576] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2604] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2604] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2604] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2604] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d1f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d49a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d594c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000076d59630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d787e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcdf2db0 5 bytes JMP 000007fffcde0180 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcdf37d0 7 bytes JMP 000007fffcde00d8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcdf8ef0 6 bytes JMP 000007fffcde0148 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce0af60 5 bytes JMP 000007fffcde0110 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd2889e0 8 bytes JMP 000007fffcde01f0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2620] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd28be40 8 bytes JMP 000007fffcde01b8 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74] .text C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe[2708] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2892] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[2940] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text C:\Program Files (x86)\Lenovo\Lenovo CAPOSD\CAPOSD.exe[2960] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2988] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text C:\Windows\SysWOW64\RunDll32.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74] .text C:\Windows\SysWOW64\RunDll32.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74] .text ... * 2 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe[3896] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74] .text ... * 2 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074c91409 7 bytes JMP 00000001747212ad .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074cab21b 5 bytes JMP 00000001747215be .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000074d28e24 7 bytes JMP 0000000174721357 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000074d28ea9 5 bytes JMP 00000001747216e0 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000074d291ff 5 bytes JMP 0000000174721028 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074b61d29 5 bytes JMP 00000001747211ef .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000074b61dd7 5 bytes JMP 0000000174721023 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074b62ab1 5 bytes JMP 000000017472156e .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074b62d17 5 bytes JMP 0000000174721294 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000755ce96b 5 bytes JMP 00000001747215d7 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000755ceba5 5 bytes JMP 00000001747211b8 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076bf8a29 5 bytes JMP 0000000174721050 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076c04572 5 bytes JMP 00000001747210d2 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000074da5ea5 5 bytes JMP 0000000174721609 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000074dd9d0b 5 bytes JMP 0000000174721249 .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074ff1465 2 bytes [FF, 74] .text C:\Users\Kasia\Downloads\32j957dp.exe[4396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074ff14bb 2 bytes [FF, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2060:4696] 000007fefab92bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2060:4732] 000007fef57f5124 ---- Processes - GMER 2.1 ---- Process C:\Users\Kasia\AppData\Local\NativeScriptTooltip\NativeScriptTooltip.exe (*** suspicious ***) @ C:\Users\Kasia\AppData\Local\NativeScriptTooltip\NativeScriptTooltip.exe [1628](2014-07-27 08:47:09) 0000000000340000 Library C:\Users\Kasia\AppData\Local\NativeScriptTooltip\QtNetwork4.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Local\NativeScriptTooltip\NativeScriptTooltip.exe [1628] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-07-27 08:47:09) 0000000072850000 Library C:\Users\Kasia\AppData\Local\NativeScriptTooltip\QtCore4.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Local\NativeScriptTooltip\NativeScriptTooltip.exe [1628] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-07-27 08:47:09) 0000000072570000 Library C:\Users\Kasia\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe [2708](2014-07-21 20:53:38) 0000000003d90000 Library c:\users\kasia\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpo5pwa6.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe [2708](2014-08-01 07:07:56) 00000000041d0000 Library C:\Users\Kasia\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe [2708](2013-10-18 23:55:02) 0000000062a50000 Library C:\Users\Kasia\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Roaming\Dropbox\bin\Dropbox.exe [2708] (ICU Data DLL/The ICU Project)(2013-10-18 23:55:00) 00000000620c0000 Process C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe (*** suspicious ***) @ C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe [3896](2014-07-27 08:47:09) 0000000001120000 Library C:\Users\Kasia\AppData\Local\NativeScriptTooltip\QtNetwork4.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe [3896] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-07-27 08:47:09) 0000000072850000 Library C:\Users\Kasia\AppData\Local\NativeScriptTooltip\QtCore4.dll (*** suspicious ***) @ C:\Users\Kasia\AppData\Local\NativeScriptTooltip\MotionStartWinsock.exe [3896] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-07-27 08:47:09) 0000000072570000 ---- EOF - GMER 2.1 ----