GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-18 10:00:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4 Samsung_SSD_850_EVO_500GB rev.EMT01B6Q 465,76GB Running: zyjzyrzj.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\kgloapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\Dwm.exe[1472] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Windows\system32\Dwm.exe[1472] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Windows\system32\Dwm.exe[1472] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Windows\system32\Dwm.exe[1472] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Windows\Explorer.EXE[1536] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Windows\Explorer.EXE[1536] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Windows\Explorer.EXE[1536] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Windows\Explorer.EXE[1536] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076269cbb 5 bytes JMP 000000001000a4d0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076269cfe 5 bytes JMP 000000001000a630 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000070a8451e 5 bytes JMP 000000001000ab40 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070a84b6d 5 bytes JMP 000000001000abb0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070a84bf2 5 bytes JMP 000000001000ac90 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070a84f0f 5 bytes JMP 000000001000ac50 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070a84f7b 5 bytes JMP 000000001000ac10 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070a89054 5 bytes JMP 000000001000ad10 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000070a8adf9 5 bytes JMP 000000001000abe0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000070aa52e8 5 bytes JMP 000000001000acd0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000070aa535f 5 bytes JMP 000000001000acf0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000070aa59cc 5 bytes JMP 000000001000ae40 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070aa5a6a 5 bytes JMP 000000001000aec0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070aa5ad7 5 bytes JMP 000000001000af00 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070aa5b5b 5 bytes JMP 000000001000af40 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070aa5bba 5 bytes JMP 000000001000af80 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070aa5bee 5 bytes JMP 000000001000b000 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070aa5c22 5 bytes JMP 000000001000b060 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070aa5c67 5 bytes JMP 000000001000b0d0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006db87e3d 5 bytes JMP 000000001000a690 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006dbbde69 5 bytes JMP 000000001000a770 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006dbcd2c5 5 bytes JMP 000000001000a8a0 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006dbcd371 5 bytes JMP 000000001000a990 .text C:\Windows\SysWOW64\HsMgr.exe[2752] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006dbcd429 5 bytes JMP 000000001000aa80 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutClose 000007fefa3036ac 3 bytes JMP 000007fefd5501f0 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutClose + 4 000007fefa3036b0 1 byte [03] .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader 000007fefa303770 3 bytes JMP 000007fefd550298 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader + 4 000007fefa303774 1 byte [03] .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutOpen 000007fefa3038d0 3 bytes JMP 000007fefd5501b8 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutOpen + 4 000007fefa3038d4 1 byte [03] .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader 000007fefa303ca4 3 bytes JMP 000007fefd550260 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader + 4 000007fefa303ca8 1 byte [03] .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutWrite 000007fefa303d40 3 bytes JMP 000007fefd550228 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutWrite + 4 000007fefa303d44 1 byte [03] .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInOpen 000007fefa307fe0 7 bytes JMP 000007fefd550378 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefa30a38c 3 bytes JMP 000007fefd5502d0 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutReset + 4 000007fefa30a390 1 byte [03] .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutGetVolume 000007fefa3249f0 5 bytes JMP 000007fefd550308 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveOutSetVolume 000007fefa324ab0 5 bytes JMP 000007fefd550340 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInClose 000007fefa3252e0 5 bytes JMP 000007fefd5503b0 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInPrepareHeader 000007fefa3253c0 5 bytes JMP 000007fefd550490 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInUnprepareHeader 000007fefa325454 5 bytes JMP 000007fefd5504c8 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInAddBuffer 000007fefa325514 5 bytes JMP 000007fefd550500 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInStart 000007fefa3255a4 6 bytes JMP 000007fefd5503e8 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInStop 000007fefa3255e4 6 bytes JMP 000007fefd550420 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInReset 000007fefa325624 5 bytes JMP 000007fefd550458 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\WINMM.dll!waveInGetPosition 000007fefa32567c 5 bytes JMP 000007fefd550538 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\DSOUND.dll!DirectSoundCreate8 000007fef2986944 7 bytes JMP 000007fefd550180 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\DSOUND.dll!DirectSoundCreate 000007fef29a5a84 7 bytes JMP 000007fefd550148 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate 000007fef29a5b90 7 bytes JMP 000007fefd550570 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate8 000007fef29a5c94 7 bytes JMP 000007fefd5505a8 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\DSOUND.dll!DirectSoundFullDuplexCreate 000007fef29a5da8 5 bytes JMP 000007fefd5505e0 .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Windows\system\HsMgr64.exe[2760] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076932bdc 5 bytes JMP 00000000011df046 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 00000000761e30aa 7 bytes JMP 0000000000740095 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\syswow64\WS2_32.dll!recv + 202 00000000761e68f0 7 bytes JMP 000000000074002d .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 00000000761e6e5a 7 bytes JMP 00000000007400c9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\syswow64\WS2_32.dll!WSASetEvent + 43 00000000761ebcd0 7 bytes JMP 0000000000740061 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076269cbb 5 bytes JMP 000000001000a4d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076269cfe 5 bytes JMP 000000001000a630 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000070a8451e 5 bytes JMP 000000001000ab40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070a84b6d 5 bytes JMP 000000001000abb0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070a84bf2 5 bytes JMP 000000001000ac90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070a84f0f 5 bytes JMP 000000001000ac50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070a84f7b 5 bytes JMP 000000001000ac10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070a89054 5 bytes JMP 000000001000ad10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000070a8adf9 5 bytes JMP 000000001000abe0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000070aa52e8 5 bytes JMP 000000001000acd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000070aa535f 5 bytes JMP 000000001000acf0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000070aa59cc 5 bytes JMP 000000001000ae40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070aa5a6a 5 bytes JMP 000000001000aec0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070aa5ad7 5 bytes JMP 000000001000af00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070aa5b5b 5 bytes JMP 000000001000af40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070aa5bba 5 bytes JMP 000000001000af80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070aa5bee 5 bytes JMP 000000001000b000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070aa5c22 5 bytes JMP 000000001000b060 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070aa5c67 5 bytes JMP 000000001000b0d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006db87e3d 5 bytes JMP 000000001000a690 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006dbbde69 5 bytes JMP 000000001000a770 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006dbcd2c5 5 bytes JMP 000000001000a8a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006dbcd371 5 bytes JMP 000000001000a990 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2784] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006dbcd429 5 bytes JMP 000000001000aa80 .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f61401 2 bytes JMP 74feb263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f61419 2 bytes JMP 74feb38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f61431 2 bytes JMP 750690f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f6144a 2 bytes CALL 74fc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f614dd 2 bytes JMP 750689ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f614f5 2 bytes JMP 75068bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f6150d 2 bytes JMP 750688e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f61525 2 bytes JMP 75068caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f6153d 2 bytes JMP 74fdfce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f61555 2 bytes JMP 74fe6937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f6156d 2 bytes JMP 750691a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f61585 2 bytes JMP 75068d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f6159d 2 bytes JMP 750688a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f615b5 2 bytes JMP 74fdfd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f615cd 2 bytes JMP 74feb324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f616b2 2 bytes JMP 7506906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f616bd 2 bytes JMP 75068839 C:\Windows\syswow64\kernel32.dll .text F:\Rainlendar2\Rainlendar2.exe[2936] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text F:\Rainlendar2\Rainlendar2.exe[2936] C:\Windows\system32\WS2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text F:\Rainlendar2\Rainlendar2.exe[2936] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text F:\Rainlendar2\Rainlendar2.exe[2936] C:\Windows\system32\WS2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Windows\system32\RunDll32.exe[2132] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Windows\system32\RunDll32.exe[2132] C:\Windows\system32\WS2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Windows\system32\RunDll32.exe[2132] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Windows\system32\RunDll32.exe[2132] C:\Windows\system32\WS2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074fc8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f61401 2 bytes JMP 74feb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f61419 2 bytes JMP 74feb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f61431 2 bytes JMP 750690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f6144a 2 bytes CALL 74fc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f614dd 2 bytes JMP 750689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f614f5 2 bytes JMP 75068bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f6150d 2 bytes JMP 750688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f61525 2 bytes JMP 75068caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f6153d 2 bytes JMP 74fdfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f61555 2 bytes JMP 74fe6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f6156d 2 bytes JMP 750691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f61585 2 bytes JMP 75068d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f6159d 2 bytes JMP 750688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f615b5 2 bytes JMP 74fdfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f615cd 2 bytes JMP 74feb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f616b2 2 bytes JMP 7506906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[4004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f616bd 2 bytes JMP 75068839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076269cbb 5 bytes JMP 000000001000a4d0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076269cfe 5 bytes JMP 000000001000a630 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f61401 2 bytes JMP 74feb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f61419 2 bytes JMP 74feb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f61431 2 bytes JMP 750690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f6144a 2 bytes CALL 74fc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f614dd 2 bytes JMP 750689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f614f5 2 bytes JMP 75068bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f6150d 2 bytes JMP 750688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f61525 2 bytes JMP 75068caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f6153d 2 bytes JMP 74fdfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f61555 2 bytes JMP 74fe6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f6156d 2 bytes JMP 750691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f61585 2 bytes JMP 75068d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f6159d 2 bytes JMP 750688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f615b5 2 bytes JMP 74fdfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f615cd 2 bytes JMP 74feb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f616b2 2 bytes JMP 7506906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f616bd 2 bytes JMP 75068839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000070a8451e 5 bytes JMP 000000001000ab40 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070a84b6d 5 bytes JMP 000000001000abb0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070a84bf2 5 bytes JMP 000000001000ac90 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070a84f0f 5 bytes JMP 000000001000ac50 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070a84f7b 5 bytes JMP 000000001000ac10 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070a89054 5 bytes JMP 000000001000ad10 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000070a8adf9 5 bytes JMP 000000001000abe0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000070aa52e8 5 bytes JMP 000000001000acd0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000070aa535f 5 bytes JMP 000000001000acf0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000070aa59cc 5 bytes JMP 000000001000ae40 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070aa5a6a 5 bytes JMP 000000001000aec0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070aa5ad7 5 bytes JMP 000000001000af00 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070aa5b5b 5 bytes JMP 000000001000af40 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070aa5bba 5 bytes JMP 000000001000af80 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070aa5bee 5 bytes JMP 000000001000b000 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070aa5c22 5 bytes JMP 000000001000b060 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070aa5c67 5 bytes JMP 000000001000b0d0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006db87e3d 5 bytes JMP 000000001000a690 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006dbbde69 5 bytes JMP 000000001000a770 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006dbcd2c5 5 bytes JMP 000000001000a8a0 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006dbcd371 5 bytes JMP 000000001000a990 .text C:\Program Files (x86)\Perixx Gaming mouse\SE61T-UserTools.exe[4032] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006dbcd429 5 bytes JMP 000000001000aa80 .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[3328] C:\Windows\system32\WS2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[3328] C:\Windows\system32\WS2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[3328] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[3328] C:\Windows\system32\WS2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\syswow64\ole32.DLL!CoCreateInstance 0000000076269cbb 5 bytes JMP 000000001000a4d0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\syswow64\ole32.DLL!CoCreateInstanceEx 0000000076269cfe 5 bytes JMP 000000001000a630 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000070a8451e 5 bytes JMP 000000001000ab40 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070a84b6d 5 bytes JMP 000000001000abb0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070a84bf2 5 bytes JMP 000000001000ac90 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070a84f0f 5 bytes JMP 000000001000ac50 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070a84f7b 5 bytes JMP 000000001000ac10 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070a89054 5 bytes JMP 000000001000ad10 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000070a8adf9 5 bytes JMP 000000001000abe0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000070aa52e8 5 bytes JMP 000000001000acd0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000070aa535f 5 bytes JMP 000000001000acf0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000070aa59cc 5 bytes JMP 000000001000ae40 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070aa5a6a 5 bytes JMP 000000001000aec0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070aa5ad7 5 bytes JMP 000000001000af00 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070aa5b5b 5 bytes JMP 000000001000af40 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070aa5bba 5 bytes JMP 000000001000af80 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070aa5bee 5 bytes JMP 000000001000b000 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070aa5c22 5 bytes JMP 000000001000b060 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070aa5c67 5 bytes JMP 000000001000b0d0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006db87e3d 5 bytes JMP 000000001000a690 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006dbbde69 5 bytes JMP 000000001000a770 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006dbcd2c5 5 bytes JMP 000000001000a8a0 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006dbcd371 5 bytes JMP 000000001000a990 .text F:\Ad Muncher\AdMunch.exe[3964] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006dbcd429 5 bytes JMP 000000001000aa80 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076269cbb 5 bytes JMP 000000001000a4d0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076269cfe 5 bytes JMP 000000001000a630 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000070a8451e 5 bytes JMP 000000001000ab40 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000070a84b6d 5 bytes JMP 000000001000abb0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000070a84bf2 5 bytes JMP 000000001000ac90 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000070a84f0f 5 bytes JMP 000000001000ac50 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000070a84f7b 5 bytes JMP 000000001000ac10 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000070a89054 5 bytes JMP 000000001000ad10 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000070a8adf9 5 bytes JMP 000000001000abe0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000070aa52e8 5 bytes JMP 000000001000acd0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000070aa535f 5 bytes JMP 000000001000acf0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000070aa59cc 5 bytes JMP 000000001000ae40 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000070aa5a6a 5 bytes JMP 000000001000aec0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000070aa5ad7 5 bytes JMP 000000001000af00 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000070aa5b5b 5 bytes JMP 000000001000af40 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000070aa5bba 5 bytes JMP 000000001000af80 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000070aa5bee 5 bytes JMP 000000001000b000 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000070aa5c22 5 bytes JMP 000000001000b060 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000070aa5c67 5 bytes JMP 000000001000b0d0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006db87e3d 5 bytes JMP 000000001000a690 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006dbbde69 5 bytes JMP 000000001000a770 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006dbcd2c5 5 bytes JMP 000000001000a8a0 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006dbcd371 5 bytes JMP 000000001000a990 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006dbcd429 5 bytes JMP 000000001000aa80 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075f61401 2 bytes JMP 74feb263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075f61419 2 bytes JMP 74feb38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075f61431 2 bytes JMP 750690f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075f6144a 2 bytes CALL 74fc48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075f614dd 2 bytes JMP 750689ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075f614f5 2 bytes JMP 75068bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075f6150d 2 bytes JMP 750688e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075f61525 2 bytes JMP 75068caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075f6153d 2 bytes JMP 74fdfce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075f61555 2 bytes JMP 74fe6937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075f6156d 2 bytes JMP 750691a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075f61585 2 bytes JMP 75068d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075f6159d 2 bytes JMP 750688a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075f615b5 2 bytes JMP 74fdfd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075f615cd 2 bytes JMP 74feb324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075f616b2 2 bytes JMP 7506906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075f616bd 2 bytes JMP 75068839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe[4536] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076269cbb 5 bytes JMP 000000001000a4d0 .text C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe[4536] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076269cfe 5 bytes JMP 000000001000a630 .text C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe[4536] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 000000006db87e3d 5 bytes JMP 000000001000a690 .text C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe[4536] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000006dbbde69 5 bytes JMP 000000001000a770 .text C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe[4536] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000006dbcd2c5 5 bytes JMP 000000001000a8a0 .text C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe[4536] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000006dbcd371 5 bytes JMP 000000001000a990 .text C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe[4536] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000006dbcd429 5 bytes JMP 000000001000aa80 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5092] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5092] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5092] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5092] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Windows\system32\conhost.exe[5332] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Windows\system32\conhost.exe[5332] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Windows\system32\conhost.exe[5332] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Windows\system32\conhost.exe[5332] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text C:\Windows\system32\conhost.exe[6752] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text C:\Windows\system32\conhost.exe[6752] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text C:\Windows\system32\conhost.exe[6752] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text C:\Windows\system32\conhost.exe[6752] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} .text F:\totalcmd\TOTALCMD64.EXE[7148] C:\Windows\system32\ws2_32.dll!connect + 1 000007feff6542f1 5 bytes {JMP QWORD [RIP-0x7fef42be]} .text F:\totalcmd\TOTALCMD64.EXE[7148] C:\Windows\system32\ws2_32.dll!getsockname 000007feff659150 6 bytes {JMP QWORD [RIP-0x7fed90e6]} .text F:\totalcmd\TOTALCMD64.EXE[7148] C:\Windows\system32\ws2_32.dll!WSAConnect 000007feff67e080 6 bytes {JMP QWORD [RIP-0x7fefe04e]} .text F:\totalcmd\TOTALCMD64.EXE[7148] C:\Windows\system32\ws2_32.dll!getpeername 000007feff67e3e0 6 bytes {JMP QWORD [RIP-0x7fefe33e]} ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\ngvss\Parameters@asserts ???j?z?????????????????s? ?????????????????????????????????s????????????????????????File system??????j?j?j??????????????????File System?????PEAUTH???????r?r? ???????????????????????????????????????????????? ??/???7???e???????????6???????j?j?j???????f???????e????????????N??j???????????????????j??????????????? ???????j?????j?????i?????????????? ????????7??????????????????????? ???????j??????????????????????N????????????j?j?j???j?j?????????j???s???????????????????????j?j?????????i???????????j?j?e????X??j??????????????????????t???LegacyDriver?7???j???????????j???????6?????? ??????????s?????????????F??????Ju???????????????????????????j????????????X??????4???4???u?u?u???u??????????????????????????????LegacyDriver?????????????j?jos?????? ???????????????????????? ??????????????????????LegacyDriver?????????j??????????{4d36e97d-e325-11ce-bfc1-08002be10318}?nar???o?o?????????????????????j??? V???????????????????N?????????????LegacyDriver?7??da???j?j?j??LegacyDriver?????j?jMp????N?????????????LegacyDriver??????????????? Reg HKLM\SYSTEM\ControlSet002\services\ngvss\Parameters@asserts ???j?s??? r??????????????????j?j?j???????j???,??sC?????????????????s?????j?j?j???????????????????????????????:??????????????????????????????????????????????LegacyDriver?g???j?jDD???????y????N???????????D??????????????????;???????????:?????????j?&???????j???????5???????7??6-21-2006????j?j?j??LegacyDriver???????? ?????????????????????????N??????=???=?????j?z?????????????????s? ?????????????????????????????????s????????????????????????File system??????j?j?j??????????????????File System?????PEAUTH???????r?r? ???????????????????????????????????????????????? ??/???7???e???????????6???????j?j?j???????f???????e????????????N??j???????????????????j??????????????? ???????j?????j?????i?????????????? ????????7??????????????????????? ???????j??????????????????????N????????????j?j?j???j?j?????????j???s???????????????????????j?j?????????i???????????j?j?e????X??j??????????????????????t???LegacyDriver?7???j???????????j???????6?????? ??????????s?????????????F??????Ju???????????????????????????j????????????X??????4???4???u?u?u? ---- EOF - GMER 2.2 ----