GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-01 19:28:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-7 ST3250318AS rev.CC38 232,88GB Running: q9hq8uz6.exe; Driver: C:\Users\Pentium\AppData\Local\Temp\pfroipow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\psxss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 3 bytes JMP 0000000000121000 .text C:\Windows\system32\psxss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 4 000000007759c204 1 byte [88] .text C:\Windows\system32\psxss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 3 bytes JMP 0000000000120000 .text C:\Windows\system32\psxss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 4 000000007759c754 1 byte [88] .text C:\Windows\system32\psxss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 3 bytes JMP 0000000000122000 .text C:\Windows\system32\psxss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 4 000000007759c804 1 byte [88] .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000003e1000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000003e0000 .text C:\Windows\system32\winlogon.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000003e2000 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000321000 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000320000 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000322000 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000004c1000 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000004c0000 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000004c2000 .text C:\Windows\system32\nvvsvc.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000001c1000 .text C:\Windows\system32\nvvsvc.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000001c0000 .text C:\Windows\system32\nvvsvc.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000001c2000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 0000000000101000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 0000000000100000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 0000000000102000 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000001d1000 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000001d0000 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000001d2000 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000cf1000 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000cf0000 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000cf2000 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000c21000 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000c20000 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000c22000 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000401000 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000400000 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000402000 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000e21000 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000e20000 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000e22000 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000001221000 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000001220000 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000001222000 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000cf1000 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000cf0000 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000cf2000 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000821000 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000820000 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000822000 .text C:\Windows\system32\nvvsvc.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000cd1000 .text C:\Windows\system32\nvvsvc.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000cd0000 .text C:\Windows\system32\nvvsvc.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000cd2000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 0000000000091000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 0000000000090000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 0000000000092000 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000002c1000 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000002c0000 .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000002c2000 .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 0000000000021000 .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 0000000000020000 .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 0000000000022000 .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ASGT.exe[1704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000002031000 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000002030000 .text C:\Windows\system32\taskhost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000002032000 .text C:\Windows\System32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000004c1000 .text C:\Windows\System32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000004c0000 .text C:\Windows\System32\svchost.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000004c2000 .text C:\Windows\system32\Dwm.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000021e1000 .text C:\Windows\system32\Dwm.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000021e0000 .text C:\Windows\system32\Dwm.exe[1968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000021e2000 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000001a1000 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000001a0000 .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000001a2000 .text C:\Windows\System32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000191000 .text C:\Windows\System32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000190000 .text C:\Windows\System32\svchost.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000192000 .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 0000000000021000 .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 0000000000020000 .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 0000000000022000 .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Explorer.EXE[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000004c41000 .text C:\Windows\Explorer.EXE[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000004c40000 .text C:\Windows\Explorer.EXE[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000004c42000 .text C:\Windows\system32\mqsvc.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000811000 .text C:\Windows\system32\mqsvc.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000810000 .text C:\Windows\system32\mqsvc.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000812000 .text C:\Windows\system32\taskeng.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000002c1000 .text C:\Windows\system32\taskeng.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000002c0000 .text C:\Windows\system32\taskeng.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000002c2000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 0000000000141000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 0000000000140000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 0000000000142000 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000831000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000830000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000832000 .text C:\Windows\System32\tcpsvcs.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000371000 .text C:\Windows\System32\tcpsvcs.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000370000 .text C:\Windows\System32\tcpsvcs.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000372000 .text C:\Windows\System32\snmp.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000291000 .text C:\Windows\System32\snmp.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000290000 .text C:\Windows\System32\snmp.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000292000 .text C:\Windows\system32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000001891000 .text C:\Windows\system32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000001890000 .text C:\Windows\system32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000001892000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 0000000000221000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 0000000000220000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 0000000000222000 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075132bdc 5 bytes JMP 0000000000c11179 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\RunDll32.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000002611000 .text C:\Windows\system32\RunDll32.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000002610000 .text C:\Windows\system32\RunDll32.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000002612000 .text C:\Windows\system32\RunDll32.exe[2348] C:\Windows\system32\KERNELBASE.dll!CreateDirectoryW 000007fefd599fb0 5 bytes JMP 000007fe7d5a0000 .text C:\Program Files\HP\HP Officejet 7610 series\Bin\HPNetworkCommunicatorCom.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000001cb1000 .text C:\Program Files\HP\HP Officejet 7610 series\Bin\HPNetworkCommunicatorCom.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000001cb0000 .text C:\Program Files\HP\HP Officejet 7610 series\Bin\HPNetworkCommunicatorCom.exe[3040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000001cb2000 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 00000000003f1000 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 00000000003f0000 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 00000000003f2000 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3380] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 0000000000271000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 0000000000270000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 0000000000272000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000001b1000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000001b0000 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000001b2000 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007759c200 5 bytes JMP 00000000003a1000 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007759c750 5 bytes JMP 00000000003a0000 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007759c800 5 bytes JMP 00000000003a2000 .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 000000007774fffc 5 bytes JMP 0000000000021000 .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 0000000077750824 5 bytes JMP 0000000000020000 .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 000000007775092c 5 bytes JMP 0000000000022000 .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000769b1401 2 bytes JMP 76fdb233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000769b1419 2 bytes JMP 76fdb35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000769b1431 2 bytes JMP 77059149 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000769b144a 2 bytes CALL 76fb4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769b14dd 2 bytes JMP 77058a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769b14f5 2 bytes JMP 77058c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000769b150d 2 bytes JMP 77058938 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000769b1525 2 bytes JMP 77058d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000769b153d 2 bytes JMP 76fcfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000769b1555 2 bytes JMP 76fd6907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000769b156d 2 bytes JMP 77059201 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000769b1585 2 bytes JMP 77058d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000769b159d 2 bytes JMP 770588fc C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769b15b5 2 bytes JMP 76fcfd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769b15cd 2 bytes JMP 76fdb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769b16b2 2 bytes JMP 770590c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Pentium\Desktop\q9hq8uz6.exe[5900] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769b16bd 2 bytes JMP 77058891 C:\Windows\syswow64\kernel32.dll ---- Devices - GMER 2.2 ---- Device \Driver\WudfPf \Device\WUDFLpcDevice fffff880085b1910 Device \Driver\WudfPf \Device\ProcessManagement fffff880085b1910 ---- EOF - GMER 2.2 ----