GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-20 00:42:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000077 ATA_____ rev.SDM2 465,76GB Running: wytqqssz.exe; Driver: C:\Users\TNR\AppData\Local\Temp\uwldipow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880081c0d24 12 bytes {MOV RAX, 0xfffffa800a0b32a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cfaf40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076d04a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076d22990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d2efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d599b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d694d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d8a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffced0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffced00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffced0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffced0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffced01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffced01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee57490 11 bytes JMP 000007fffced0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1620] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefee6bf00 7 bytes JMP 000007fffced0260 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffced0180 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffced00d8 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffced0148 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffced0110 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffced01f0 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffced01b8 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef728dc88 5 bytes JMP 000007fff72600d8 .text C:\Windows\system32\Dwm.exe[1252] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef728de10 5 bytes JMP 000007fff7260110 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cfaf40 7 bytes JMP 000000016fff0228 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076d04a60 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076d22990 5 bytes JMP 000000016fff01b8 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d2efe0 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d599b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d694d0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d8a500 7 bytes JMP 000000016fff01f0 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffced0180 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffced00d8 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffced0148 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffced0110 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffced01f0 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffced01b8 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee57490 11 bytes JMP 000007fffced0228 .text C:\Windows\system32\taskeng.exe[2152] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefee6bf00 7 bytes JMP 000007fffced0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cfaf40 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076d04a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076d22990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d2efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d599b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d694d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d8a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffced0180 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffced00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffced0148 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffced0110 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffced01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffced01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee57490 11 bytes JMP 000007fffced0228 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefee6bf00 7 bytes JMP 000007fffced0260 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffcd40180 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffcd400d8 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffcd40148 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffcd40110 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee57490 11 bytes JMP 000007fffcd40228 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefee6bf00 7 bytes JMP 000007fffcd40260 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffcd401f0 .text C:\Program Files\Microsoft Security Client\msseces.exe[3068] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffcd401b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cfaf40 7 bytes JMP 000000016fff0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076d04a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076d22990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d2efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d599b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d694d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d8a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffced0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffced00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffced0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffced0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee57490 11 bytes JMP 000007fffced0228 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefee6bf00 7 bytes JMP 000007fffced0260 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffced01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1652] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffced01b8 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760d1eee 7 bytes JMP 00000001710a4b10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760d5b85 7 bytes JMP 00000001710a54b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760e13e1 7 bytes JMP 00000001710a4e50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760eea0d 7 bytes JMP 00000001710a4b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000761788b4 7 bytes JMP 00000001710a45c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076178939 5 bytes JMP 00000001710a4670 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076178c8f 5 bytes JMP 00000001710a45d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076bb1d1b 5 bytes JMP 00000001710a4580 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076bb1dc9 5 bytes JMP 00000001710a4540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076bb2aa4 5 bytes JMP 00000001710a4680 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076bb2d0a 5 bytes JMP 00000001710a4360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076898a29 5 bytes JMP 00000001710a3a40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000768a4572 5 bytes JMP 00000001710a42e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000768be567 5 bytes JMP 00000001710a4350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768e07d7 5 bytes JMP 00000001710a3850 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768f7a5c 5 bytes JMP 00000001710a42d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074b1e9a2 5 bytes JMP 00000001710a3b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074b1ebdc 5 bytes JMP 00000001710a3b80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076295ea5 5 bytes JMP 00000001710a3a00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2044] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000762c9d0b 5 bytes JMP 00000001710a3990 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cfaf40 7 bytes JMP 000000016fff0228 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076d04a60 5 bytes JMP 000000016fff0180 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076d22990 5 bytes JMP 000000016fff01b8 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d2efe0 5 bytes JMP 000000016fff0110 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d599b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d694d0 5 bytes JMP 000000016fff0148 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d8a500 7 bytes JMP 000000016fff01f0 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffced0180 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffced00d8 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffced0148 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffced0110 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffced01f0 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffced01b8 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee57490 11 bytes JMP 000007fffced0228 .text C:\Windows\System32\igfxpers.exe[2932] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefee6bf00 7 bytes JMP 000007fffced0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cfaf40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076d04a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076d22990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d2efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d599b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d694d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d8a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffced0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffced00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffced0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffced0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffced01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3436] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffced01b8 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760d1eee 7 bytes JMP 00000001710a4b10 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760d5b85 7 bytes JMP 00000001710a54b0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760e13e1 7 bytes JMP 00000001710a4e50 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760eea0d 7 bytes JMP 00000001710a4b00 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000761788b4 7 bytes JMP 00000001710a45c0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076178939 5 bytes JMP 00000001710a4670 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076178c8f 5 bytes JMP 00000001710a45d0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076bb1d1b 5 bytes JMP 00000001710a4580 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076bb1dc9 5 bytes JMP 00000001710a4540 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076bb2aa4 5 bytes JMP 00000001710a4680 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076bb2d0a 5 bytes JMP 00000001710a4360 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074b1e9a2 5 bytes JMP 00000001710a3b60 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074b1ebdc 5 bytes JMP 00000001710a3b80 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076898a29 5 bytes JMP 00000001710a3a40 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000768a4572 5 bytes JMP 00000001710a42e0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000768be567 5 bytes JMP 00000001710a4350 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768e07d7 5 bytes JMP 00000001710a3850 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768f7a5c 5 bytes JMP 00000001710a42d0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076295ea5 5 bytes JMP 00000001710a3a00 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe[3456] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000762c9d0b 5 bytes JMP 00000001710a3990 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760d1eee 7 bytes JMP 00000001710a4b10 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760d5b85 7 bytes JMP 00000001710a54b0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760e13e1 7 bytes JMP 00000001710a4e50 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760eea0d 7 bytes JMP 00000001710a4b00 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000761788b4 7 bytes JMP 00000001710a45c0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076178939 5 bytes JMP 00000001710a4670 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076178c8f 5 bytes JMP 00000001710a45d0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076bb1d1b 5 bytes JMP 00000001710a4580 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076bb1dc9 5 bytes JMP 00000001710a4540 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076bb2aa4 5 bytes JMP 00000001710a4680 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076bb2d0a 5 bytes JMP 00000001710a4360 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074b1e9a2 5 bytes JMP 00000001710a3b60 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074b1ebdc 5 bytes JMP 00000001710a3b80 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076898a29 5 bytes JMP 00000001710a3a40 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000768a4572 5 bytes JMP 00000001710a42e0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000768be567 5 bytes JMP 00000001710a4350 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768e07d7 5 bytes JMP 00000001710a3850 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768f7a5c 5 bytes JMP 00000001710a42d0 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076295ea5 5 bytes JMP 00000001710a3a00 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000762c9d0b 5 bytes JMP 00000001710a3990 .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e01465 2 bytes [E0, 74] .text C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e014bb 2 bytes [E0, 74] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\kernel32.dll!RegSetValueExW 0000000076cfaf40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000076d04a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000076d22990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d2efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076d599b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000076d694d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000076d8a500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcee2db0 5 bytes JMP 000007fffcd40180 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcee37d0 7 bytes JMP 000007fffcd400d8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcee8ef0 6 bytes JMP 000007fffcd40148 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefaf60 5 bytes JMP 000007fffcd40110 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee57490 11 bytes JMP 000007fffcd40228 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefee6bf00 7 bytes JMP 000007fffcd40260 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefd1d89e0 8 bytes JMP 000007fffcd401f0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefd1dbe40 8 bytes JMP 000007fffcd401b8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\d3d9.dll!Direct3DCreate9Ex 000007fef2702460 5 bytes JMP 000007fefcd402d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3912] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef27396b0 6 bytes JMP 000007fefcd40298 .text C:\Program Files (x86)\Skype\Updater\Updater.exe[4036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e01465 2 bytes [E0, 74] .text C:\Program Files (x86)\Skype\Updater\Updater.exe[4036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e014bb 2 bytes [E0, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760d1eee 7 bytes JMP 00000001710a4b10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760d5b85 7 bytes JMP 00000001710a54b0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760e13e1 7 bytes JMP 00000001710a4e50 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760eea0d 7 bytes JMP 00000001710a4b00 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000761788b4 7 bytes JMP 00000001710a45c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076178939 5 bytes JMP 00000001710a4670 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076178c8f 5 bytes JMP 00000001710a45d0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076bb1d1b 5 bytes JMP 00000001710a4580 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076bb1dc9 5 bytes JMP 00000001710a4540 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076bb2aa4 5 bytes JMP 00000001710a4680 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076bb2d0a 5 bytes JMP 00000001710a4360 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074b1e9a2 5 bytes JMP 00000001710a3b60 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074b1ebdc 5 bytes JMP 00000001710a3b80 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076898a29 5 bytes JMP 00000001710a3a40 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000768a4572 5 bytes JMP 00000001710a42e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000768be567 5 bytes JMP 00000001710a4350 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768e07d7 5 bytes JMP 00000001710a3850 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768f7a5c 5 bytes JMP 00000001710a42d0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076295ea5 5 bytes JMP 00000001710a3a00 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe[1504] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000762c9d0b 5 bytes JMP 00000001710a3990 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760d1eee 7 bytes JMP 00000001710a4b10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760d5b85 7 bytes JMP 00000001710a54b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760e13e1 7 bytes JMP 00000001710a4e50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760eea0d 7 bytes JMP 00000001710a4b00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000761788b4 7 bytes JMP 00000001710a45c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076178939 5 bytes JMP 00000001710a4670 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076178c8f 5 bytes JMP 00000001710a45d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076bb1d1b 5 bytes JMP 00000001710a4580 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076bb1dc9 5 bytes JMP 00000001710a4540 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076bb2aa4 5 bytes JMP 00000001710a4680 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076bb2d0a 5 bytes JMP 00000001710a4360 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074b1e9a2 5 bytes JMP 00000001710a3b60 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074b1ebdc 5 bytes JMP 00000001710a3b80 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076898a29 5 bytes JMP 00000001710a3a40 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000768a4572 5 bytes JMP 00000001710a42e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000768be567 5 bytes JMP 00000001710a4350 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768e07d7 5 bytes JMP 00000001710a3850 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768f7a5c 5 bytes JMP 00000001710a42d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076295ea5 5 bytes JMP 00000001710a3a00 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2908] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000762c9d0b 5 bytes JMP 00000001710a3990 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000760d1eee 7 bytes JMP 00000001710a4b10 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000760d5b85 7 bytes JMP 00000001710a54b0 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000760e13e1 7 bytes JMP 00000001710a4e50 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000760eea0d 7 bytes JMP 00000001710a4b00 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000761788b4 7 bytes JMP 00000001710a45c0 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076178939 5 bytes JMP 00000001710a4670 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076178c8f 5 bytes JMP 00000001710a45d0 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076bb1d1b 5 bytes JMP 00000001710a4580 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076bb1dc9 5 bytes JMP 00000001710a4540 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076bb2aa4 5 bytes JMP 00000001710a4680 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076bb2d0a 5 bytes JMP 00000001710a4360 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000074b1e9a2 5 bytes JMP 00000001710a3b60 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000074b1ebdc 5 bytes JMP 00000001710a3b80 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076898a29 5 bytes JMP 00000001710a3a40 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000768a4572 5 bytes JMP 00000001710a42e0 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000768be567 5 bytes JMP 00000001710a4350 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768e07d7 5 bytes JMP 00000001710a3850 .text C:\Users\TNR\Desktop\Nowy folder (2)\wytqqssz.exe[2636] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768f7a5c 5 bytes JMP 00000001710a42d0 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001070f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001070cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107169c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001071a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010718f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\az3kunts \Device\Scsi\az3kunts1Port1Path0Target0Lun0 fffffa800a35b2c0 Device \Driver\az3kunts \Device\Scsi\az3kunts1 fffffa800a35b2c0 Device \FileSystem\Ntfs \Ntfs fffffa80069cc2c0 Device \FileSystem\fastfat \Fat fffffa800cb1d2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006b662c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa80069c82c0 Device \Driver\cdrom \Device\CdRom0 fffffa8009d4f2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8009d4f2c0 Device \Driver\cdrom \Device\CdRom2 fffffa8009d4f2c0 Device \Driver\dtsoftbus01 \Device\0000007b fffffa8009d4b2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006b662c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8009d4b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{49DDC199-A674-4907-8FAA-FEC68523AA72} fffffa8009da92c0 Device \Driver\iaStorA \Device\00000076 fffffa80069c82c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006b662c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{55DA2DE7-F8A5-4AA0-9B9A-46EDE3C60D96} fffffa8009da92c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8009da92c0 Device \Driver\iaStorA \Device\00000077 fffffa80069c82c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa80069c82c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006b662c0 Device \Driver\az3kunts \Device\ScsiPort1 fffffa800a35b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{AB8499EF-07A5-4F0D-A5B8-DC823D17114F} fffffa8009da92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{830422D5-DFD9-40B7-82FA-64182C4410DE} fffffa8009da92c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa80069c82c0]<< sptd.sys storport.sys hal.dll iaStorA.sys fffffa80069c82c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009877060] fffffa8009877060 Trace 3 CLASSPNP.SYS[fffff880019cc43f] -> nt!IofCallDriver -> [0xfffffa80096b8a30] fffffa80096b8a30 Trace 5 iaStorF.sys[fffff88001a5d168] -> nt!IofCallDriver -> \Device\00000077[0xfffffa8007913060] fffffa8007913060 Trace \Driver\iaStorA[0xfffffa80078a5640] -> IRP_MJ_CREATE -> 0xfffffa80069c82c0 fffffa80069c82c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\az3kunts.SYS fffff88008571000-fffff880085c2000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [3380:3484] 00000000010a0532 ---- Processes - GMER 2.1 ---- Library C:\Users\TNR\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1436] (GG drive menu/GG Network S.A.)(2014-07 000000005ff80000 ---- EOF - GMER 2.1 ----