GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-30 11:50:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000528AS rev.CC44 931,51GB Running: 39zlv4t4.exe; Driver: C:\Users\pc\AppData\Local\Temp\uglcraoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800033ff000 93 bytes [89, 6C, 24, 70, E9, 4B, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 638 fffff800033ff05e 57 bytes [05, 05, 20, 1B, 00, 49, 8D, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e31310 5 bytes JMP 0000000076fa0bf8 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e31330 5 bytes JMP 0000000076fa0e68 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e313a0 5 bytes JMP 0000000076f90ac0 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076e313e0 5 bytes JMP 0000000076fa0238 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076e31420 5 bytes JMP 0000000076fa04a8 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076e31480 5 bytes JMP 0000000076f90bf8 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076e31520 5 bytes JMP 0000000076fa0d30 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076e315d0 5 bytes JMP 0000000076fa0100 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e315e0 5 bytes JMP 0000000076fa0ac0 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e31650 5 bytes JMP 0000000076fa0fa0 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e31670 5 bytes JMP 0000000076f90fa0 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e31800 5 bytes JMP 0000000076fa0850 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e318b0 5 bytes JMP 0000000076fa05e0 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076e31e00 5 bytes JMP 0000000076fa0988 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076e31e10 5 bytes JMP 0000000076f90d30 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076e31e40 5 bytes JMP 0000000076f90e68 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e320a0 5 bytes JMP 0000000076fb0238 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076e324e0 1 byte JMP 0000000076fa0370 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076e324e2 3 bytes {JMP 0x16de90} .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e327e0 5 bytes JMP 0000000076fb0100 .text C:\Windows\system32\lsm.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076e32b30 5 bytes JMP 0000000076fa0718 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076bce390 5 bytes JMP 0000000076f904a8 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076bcead0 5 bytes JMP 0000000076f90370 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076bcf9f0 5 bytes JMP 0000000076f90718 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076bd23d0 5 bytes JMP 0000000076f905e0 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076be3140 5 bytes JMP 0000000076f90238 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076c0bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076c0c510 5 bytes JMP 0000000076f90850 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c4f6c0 5 bytes JMP 0000000076f90988 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefda09980 5 bytes JMP 000007fefdc00238 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefda0a4c4 2 bytes JMP 000007fefdc00100 .text C:\Windows\system32\lsm.exe[540] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx + 3 000007fefda0a4c7 2 bytes [1F, 00] .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e31310 5 bytes JMP 0000000076fc0bf8 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e31330 5 bytes JMP 0000000076fc0e68 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e313a0 5 bytes JMP 0000000076f90ac0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076e313e0 5 bytes JMP 0000000076fc0238 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076e31420 5 bytes JMP 0000000076fc04a8 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076e31480 5 bytes JMP 0000000076f90bf8 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076e31520 5 bytes JMP 0000000076fc0d30 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076e315d0 5 bytes JMP 0000000076fc0100 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e315e0 5 bytes JMP 0000000076fc0ac0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e31650 5 bytes JMP 0000000076fc0fa0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e31670 5 bytes JMP 0000000076f90fa0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e31800 5 bytes JMP 0000000076fc0850 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e318b0 5 bytes JMP 0000000076fc05e0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076e31e00 5 bytes JMP 0000000076fc0988 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076e31e10 5 bytes JMP 0000000076f90d30 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076e31e40 5 bytes JMP 0000000076f90e68 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e320a0 5 bytes JMP 0000000076fd0238 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076e324e0 1 byte JMP 0000000076fc0370 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076e324e2 3 bytes {JMP 0x18de90} .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e327e0 5 bytes JMP 0000000076fd0100 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076e32b30 5 bytes JMP 0000000076fc0718 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076bce390 5 bytes JMP 0000000076f904a8 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076bcead0 5 bytes JMP 0000000076f90370 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076bcf9f0 5 bytes JMP 0000000076f90718 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076bd23d0 5 bytes JMP 0000000076f905e0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076be3140 5 bytes JMP 0000000076f90238 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076c0bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076c0c510 5 bytes JMP 0000000076f90850 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c4f6c0 5 bytes JMP 0000000076f90988 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefda09980 5 bytes JMP 000007fefdc00238 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefda0a4c4 2 bytes JMP 000007fefdc00100 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx + 3 000007fefda0a4c7 2 bytes [1F, 00] .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!StartServiceW 000007fefcff6ff0 5 bytes JMP 000007fefd440fa0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefcffc2c0 5 bytes JMP 000007fefd440d30 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefd007b7c 2 bytes JMP 000007fefd440bf8 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!OpenServiceA + 3 000007fefd007b7f 2 bytes [43, 00] .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefd007e04 5 bytes JMP 000007fefd4405e0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefd013b44 5 bytes JMP 000007fefd440988 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!DeleteService 000007fefd013bc4 5 bytes JMP 000007fefd440ac0 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefd013bd8 5 bytes JMP 000007fefd440718 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!StartServiceA + 1 000007fefd02b1a1 4 bytes {JMP 0x415cc8} .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefd02b704 5 bytes JMP 000007fefd440850 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefd02b870 5 bytes JMP 000007fefd440238 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefd02b8dc 5 bytes JMP 000007fefd440100 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfig2W + 1 000007fefd02b949 4 bytes {JMP 0x414b60} .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfig2A + 1 000007fefd02b955 4 bytes {JMP 0x414a1c} .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!LsaRemoveAccountRights 000007fefd038ff0 5 bytes JMP 000007fefd450238 .text C:\Windows\system32\taskhost.exe[1692] C:\Windows\system32\ADVAPI32.dll!LsaAddAccountRights 000007fefd039060 5 bytes JMP 000007fefd450100 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e31310 5 bytes JMP 0000000076fa0bf8 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e31330 5 bytes JMP 0000000076fa0e68 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e313a0 5 bytes JMP 0000000076f90ac0 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076e313e0 5 bytes JMP 0000000076fa0238 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076e31420 5 bytes JMP 0000000076fa04a8 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076e31480 5 bytes JMP 0000000076f90bf8 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076e31520 5 bytes JMP 0000000076fa0d30 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076e315d0 5 bytes JMP 0000000076fa0100 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e315e0 5 bytes JMP 0000000076fa0ac0 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e31650 5 bytes JMP 0000000076fa0fa0 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e31670 5 bytes JMP 0000000076f90fa0 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e31800 5 bytes JMP 0000000076fa0850 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e318b0 5 bytes JMP 0000000076fa05e0 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076e31e00 5 bytes JMP 0000000076fa0988 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076e31e10 5 bytes JMP 0000000076f90d30 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076e31e40 5 bytes JMP 0000000076f90e68 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e320a0 5 bytes JMP 0000000076fc0238 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076e324e0 1 byte JMP 0000000076fa0370 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076e324e2 3 bytes {JMP 0x16de90} .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e327e0 5 bytes JMP 0000000076fc0100 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076e32b30 5 bytes JMP 0000000076fa0718 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076bce390 5 bytes JMP 0000000076f904a8 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076bcead0 5 bytes JMP 0000000076f90370 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076bcf9f0 5 bytes JMP 0000000076f90718 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076bd23d0 5 bytes JMP 0000000076f905e0 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076be3140 5 bytes JMP 0000000076f90238 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076c0bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076c0c510 5 bytes JMP 0000000076f90850 .text C:\Windows\system32\Dwm.exe[1468] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c4f6c0 5 bytes JMP 0000000076f90988 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e31310 5 bytes JMP 0000000076fc0bf8 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e31330 5 bytes JMP 0000000076fc0e68 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e313a0 5 bytes JMP 0000000076f90ac0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076e313e0 5 bytes JMP 0000000076fc0238 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076e31420 5 bytes JMP 0000000076fc04a8 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076e31480 5 bytes JMP 0000000076f90bf8 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076e31520 5 bytes JMP 0000000076fc0d30 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076e315d0 5 bytes JMP 0000000076fc0100 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e315e0 5 bytes JMP 0000000076fc0ac0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e31650 5 bytes JMP 0000000076fc0fa0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e31670 5 bytes JMP 0000000076f90fa0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e31800 5 bytes JMP 0000000076fc0850 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e318b0 5 bytes JMP 0000000076fc05e0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076e31e00 5 bytes JMP 0000000076fc0988 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076e31e10 5 bytes JMP 0000000076f90d30 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076e31e40 5 bytes JMP 0000000076f90e68 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e320a0 5 bytes JMP 0000000076fd0238 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076e324e0 1 byte JMP 0000000076fc0370 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076e324e2 3 bytes {JMP 0x18de90} .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e327e0 5 bytes JMP 0000000076fd0100 .text C:\Windows\Explorer.EXE[1544] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076e32b30 5 bytes JMP 0000000076fc0718 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076bce390 5 bytes JMP 0000000076f904a8 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076bcead0 5 bytes JMP 0000000076f90370 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076bcf9f0 5 bytes JMP 0000000076f90718 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076bd23d0 5 bytes JMP 0000000076f905e0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076be3140 5 bytes JMP 0000000076f90238 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076c0bca1 4 bytes {JMP 0x384460} .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076c0c510 5 bytes JMP 0000000076f90850 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c4f6c0 5 bytes JMP 0000000076f90988 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!StartServiceW 000007fefcff6ff0 5 bytes JMP 000007fefd440d30 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefcffc2c0 5 bytes JMP 000007fefd440ac0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefd007b7c 5 bytes JMP 000007fefd440988 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefd007e04 5 bytes JMP 000007fefd440370 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefd013b44 5 bytes JMP 000007fefd440718 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!DeleteService 000007fefd013bc4 5 bytes JMP 000007fefd440850 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefd013bd8 5 bytes JMP 000007fefd4404a8 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!StartServiceA + 1 000007fefd02b1a1 4 bytes {JMP 0x415a58} .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefd02b704 5 bytes JMP 000007fefd4405e0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefd02b870 5 bytes JMP 000007fefd510fa0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefd02b8dc 5 bytes JMP 000007fefd510e68 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfig2W + 1 000007fefd02b949 4 bytes {JMP 0x4a} .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfig2A + 2 000007fefd02b956 3 bytes {JMP 0x4147ac} .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!LsaRemoveAccountRights 000007fefd038ff0 5 bytes JMP 000007fefd440fa0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ADVAPI32.dll!LsaAddAccountRights 000007fefd039060 5 bytes JMP 000007fefd440e68 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefda09980 5 bytes JMP 000007fefeff0238 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefda0a4c4 2 bytes JMP 000007fefeff0100 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx + 3 000007fefda0a4c7 2 bytes [5E, 01] .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd4c13b0 5 bytes JMP 000007fefd510ac0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4c18e0 5 bytes JMP 000007fefd510d30 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd4c2200 5 bytes JMP 000007fefd510850 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!connect 000007fefd4c45c0 5 bytes JMP 000007fefd510100 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!send 000007fefd4c8000 5 bytes JMP 000007fefd5104a8 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!sendto 000007fefd4cd7f0 5 bytes JMP 000007fefd5105e0 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!recv 000007fefd4cdf40 5 bytes JMP 000007fefd510238 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd4ceb90 5 bytes JMP 000007fefd510370 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd4ced50 5 bytes JMP 000007fefd510bf8 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd4ee0f0 5 bytes JMP 000007fefd510718 .text C:\Windows\Explorer.EXE[1544] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd4ee6c0 5 bytes JMP 000007fefd510988 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd4c13b0 5 bytes JMP 000007fefd510ac0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4c18e0 5 bytes JMP 000007fefd510d30 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd4c2200 5 bytes JMP 000007fefd510850 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!connect 000007fefd4c45c0 5 bytes JMP 000007fefd510100 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!send 000007fefd4c8000 5 bytes JMP 000007fefd5104a8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!sendto 000007fefd4cd7f0 5 bytes JMP 000007fefd5105e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!recv 000007fefd4cdf40 5 bytes JMP 000007fefd510238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd4ceb90 5 bytes JMP 000007fefd510370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd4ced50 5 bytes JMP 000007fefd510bf8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd4ee0f0 5 bytes JMP 000007fefd510718 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1752] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd4ee6c0 5 bytes JMP 000007fefd510988 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e31310 5 bytes JMP 0000000076fa0bf8 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e31330 5 bytes JMP 0000000076fa0e68 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e313a0 5 bytes JMP 0000000076f90ac0 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076e313e0 5 bytes JMP 0000000076fa0238 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076e31420 5 bytes JMP 0000000076fa04a8 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076e31480 5 bytes JMP 0000000076f90bf8 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076e31520 5 bytes JMP 0000000076fa0d30 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076e315d0 5 bytes JMP 0000000076fa0100 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e315e0 5 bytes JMP 0000000076fa0ac0 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e31650 5 bytes JMP 0000000076fa0fa0 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e31670 5 bytes JMP 0000000076f90fa0 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e31800 5 bytes JMP 0000000076fa0850 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e318b0 5 bytes JMP 0000000076fa05e0 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076e31e00 5 bytes JMP 0000000076fa0988 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076e31e10 5 bytes JMP 0000000076f90d30 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076e31e40 5 bytes JMP 0000000076f90e68 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e320a0 5 bytes JMP 0000000076fb0238 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076e324e0 1 byte JMP 0000000076fa0370 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076e324e2 3 bytes {JMP 0x16de90} .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e327e0 5 bytes JMP 0000000076fb0100 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076e32b30 5 bytes JMP 0000000076fa0718 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076bce390 5 bytes JMP 0000000076f904a8 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076bcead0 5 bytes JMP 0000000076f90370 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076bcf9f0 5 bytes JMP 0000000076f90718 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076bd23d0 5 bytes JMP 0000000076f905e0 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076be3140 5 bytes JMP 0000000076f90238 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076c0bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076c0c510 5 bytes JMP 0000000076f90850 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c4f6c0 5 bytes JMP 0000000076f90988 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefda09980 5 bytes JMP 000007fefdc00238 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefda0a4c4 2 bytes JMP 000007fefdc00100 .text C:\Windows\system32\rundll32.exe[2360] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx + 3 000007fefda0a4c7 2 bytes [1F, 00] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!sendto 00000000762534b5 5 bytes JMP 0000000100790594 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076253918 5 bytes JMP 0000000100790c6c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076254406 5 bytes JMP 0000000100790a24 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!recv 0000000076256b0e 5 bytes JMP 0000000100790228 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!connect 0000000076256bdd 5 bytes JMP 0000000100790104 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!send 0000000076256f01 5 bytes JMP 0000000100790470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076257089 5 bytes JMP 00000001007907dc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007625b6dc 5 bytes JMP 000000010079034c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007625cba6 5 bytes JMP 0000000100790900 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007625cc3f 5 bytes JMP 00000001007906b8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007626b30c 5 bytes JMP 0000000100790b48 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074bb1465 2 bytes [BB, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074bb14bb 2 bytes [BB, 74] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072591a22 2 bytes [59, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072591ad0 2 bytes [59, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072591b08 2 bytes [59, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072591bba 2 bytes [59, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072591bda 2 bytes [59, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!sendto 00000000762534b5 5 bytes JMP 0000000100980594 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076253918 5 bytes JMP 0000000100980c6c .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076254406 5 bytes JMP 0000000100980a24 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!recv 0000000076256b0e 5 bytes JMP 0000000100980228 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!connect 0000000076256bdd 5 bytes JMP 0000000100980104 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!send 0000000076256f01 5 bytes JMP 0000000100980470 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076257089 5 bytes JMP 00000001009807dc .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007625b6dc 5 bytes JMP 000000010098034c .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007625cba6 5 bytes JMP 0000000100980900 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007625cc3f 5 bytes JMP 00000001009806b8 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007626b30c 5 bytes JMP 0000000100980b48 .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074bb1465 2 bytes [BB, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074bb14bb 2 bytes [BB, 74] .text ... * 2 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd4c13b0 5 bytes JMP 000007fefd510ac0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4c18e0 5 bytes JMP 000007fefd510d30 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd4c2200 5 bytes JMP 000007fefd510850 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!connect 000007fefd4c45c0 5 bytes JMP 000007fefd510100 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!send 000007fefd4c8000 5 bytes JMP 000007fefd5104a8 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!sendto 000007fefd4cd7f0 5 bytes JMP 000007fefd5105e0 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!recv 000007fefd4cdf40 5 bytes JMP 000007fefd510238 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd4ceb90 5 bytes JMP 000007fefd510370 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd4ced50 5 bytes JMP 000007fefd510bf8 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd4ee0f0 5 bytes JMP 000007fefd510718 .text C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe[2388] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd4ee6c0 5 bytes JMP 000007fefd510988 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!sendto 00000000762534b5 5 bytes JMP 0000000100310594 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000076253918 5 bytes JMP 0000000100310c6c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000076254406 5 bytes JMP 0000000100310a24 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!recv 0000000076256b0e 5 bytes JMP 0000000100310228 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!connect 0000000076256bdd 5 bytes JMP 0000000100310104 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!send 0000000076256f01 5 bytes JMP 0000000100310470 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000076257089 5 bytes JMP 00000001003107dc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007625b6dc 5 bytes JMP 000000010031034c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007625cba6 5 bytes JMP 0000000100310900 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007625cc3f 5 bytes JMP 00000001003106b8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe[2860] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007626b30c 5 bytes JMP 0000000100310b48 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd4c13b0 5 bytes JMP 000007fefd510ac0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4c18e0 5 bytes JMP 000007fefd510d30 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd4c2200 5 bytes JMP 000007fefd510850 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!connect 000007fefd4c45c0 5 bytes JMP 000007fefd510100 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!send 000007fefd4c8000 5 bytes JMP 000007fefd5104a8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!sendto 000007fefd4cd7f0 5 bytes JMP 000007fefd5105e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!recv 000007fefd4cdf40 5 bytes JMP 000007fefd510238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd4ceb90 5 bytes JMP 000007fefd510370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd4ced50 5 bytes JMP 000007fefd510bf8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd4ee0f0 5 bytes JMP 000007fefd510718 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd4ee6c0 5 bytes JMP 000007fefd510988 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd4c13b0 5 bytes JMP 000007fefd510ac0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4c18e0 5 bytes JMP 000007fefd510d30 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd4c2200 5 bytes JMP 000007fefd510850 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!connect 000007fefd4c45c0 5 bytes JMP 000007fefd510100 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!send 000007fefd4c8000 5 bytes JMP 000007fefd5104a8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!sendto 000007fefd4cd7f0 5 bytes JMP 000007fefd5105e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!recv 000007fefd4cdf40 5 bytes JMP 000007fefd510238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd4ceb90 5 bytes JMP 000007fefd510370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd4ced50 5 bytes JMP 000007fefd510bf8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd4ee0f0 5 bytes JMP 000007fefd510718 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3416] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd4ee6c0 5 bytes JMP 000007fefd510988 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd4c13b0 5 bytes JMP 000007fefd510ac0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4c18e0 5 bytes JMP 000007fefd510d30 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd4c2200 5 bytes JMP 000007fefd510850 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!connect 000007fefd4c45c0 5 bytes JMP 000007fefd510100 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!send 000007fefd4c8000 5 bytes JMP 000007fefd5104a8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!sendto 000007fefd4cd7f0 5 bytes JMP 000007fefd5105e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!recv 000007fefd4cdf40 5 bytes JMP 000007fefd510238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd4ceb90 5 bytes JMP 000007fefd510370 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd4ced50 5 bytes JMP 000007fefd510bf8 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd4ee0f0 5 bytes JMP 000007fefd510718 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4000] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd4ee6c0 5 bytes JMP 000007fefd510988 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd4c13b0 5 bytes JMP 000007fefd510ac0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!closesocket 000007fefd4c18e0 5 bytes JMP 000007fefd510d30 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd4c2200 5 bytes JMP 000007fefd510850 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!connect 000007fefd4c45c0 5 bytes JMP 000007fefd510100 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!send 000007fefd4c8000 5 bytes JMP 000007fefd5104a8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!sendto 000007fefd4cd7f0 5 bytes JMP 000007fefd5105e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!recv 000007fefd4cdf40 5 bytes JMP 000007fefd510238 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd4ceb90 5 bytes JMP 000007fefd510370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd4ced50 5 bytes JMP 000007fefd510bf8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd4ee0f0 5 bytes JMP 000007fefd510718 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[204] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd4ee6c0 5 bytes JMP 000007fefd510988 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076e31310 5 bytes JMP 0000000076fa0bf8 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076e31330 5 bytes JMP 0000000076fa0e68 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076e313a0 5 bytes JMP 0000000076f90ac0 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076e313e0 5 bytes JMP 0000000076fa0238 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076e31420 5 bytes JMP 0000000076fa04a8 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076e31480 5 bytes JMP 0000000076f90bf8 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076e31520 5 bytes JMP 0000000076fa0d30 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076e315d0 5 bytes JMP 0000000076fa0100 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076e315e0 5 bytes JMP 0000000076fa0ac0 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e31650 5 bytes JMP 0000000076fa0fa0 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e31670 5 bytes JMP 0000000076f90fa0 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076e31800 5 bytes JMP 0000000076fa0850 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076e318b0 5 bytes JMP 0000000076fa05e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076e31e00 5 bytes JMP 0000000076fa0988 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076e31e10 5 bytes JMP 0000000076f90d30 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076e31e40 5 bytes JMP 0000000076f90e68 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e320a0 5 bytes JMP 0000000076fb0238 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076e324e0 1 byte JMP 0000000076fa0370 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076e324e2 3 bytes {JMP 0x16de90} .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e327e0 5 bytes JMP 0000000076fb0100 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076e32b30 5 bytes JMP 0000000076fa0718 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076bce390 5 bytes JMP 0000000076f904a8 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076bcead0 5 bytes JMP 0000000076f90370 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076bcf9f0 5 bytes JMP 0000000076f90718 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076bd23d0 5 bytes JMP 0000000076f905e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076be3140 5 bytes JMP 0000000076f90238 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076c0bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076c0c510 5 bytes JMP 0000000076f90850 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c4f6c0 5 bytes JMP 0000000076f90988 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefda09980 5 bytes JMP 000007fefdc00238 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefda0a4c4 2 bytes JMP 000007fefdc00100 .text C:\Windows\system32\wbem\wmiprvse.exe[4468] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx + 3 000007fefda0a4c7 2 bytes [1F, 00] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\winlogon.exe[620] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefa4f2960] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[620] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefa4f2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[620] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa4f2960] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[620] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa4f2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1016] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa4f2960] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1016] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa4f2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefa4f2960] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1016] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefa4f2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!_XcptFilter] [8b4800000032e8d9] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!malloc] [f98348000001988b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!_initterm] [141af15ff0e74ff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!free] [1988b834800] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!_amsg_exit] [90c35b20c48348ff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!_vsnwprintf] [9090909090909090] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!wcschr] [6c894808245c8948] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!memset] [5718247489481024] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!iswalpha] [20518b4820ec8348] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!_purecall] [850fd28548d98b48] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[msvcrt.dll!__CxxFrameHandler3] [2863834800000266] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ntdll.dll!WinSqmIncrementDWORD] [8d480001414a15ff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ntdll.dll!WinSqmIsOptedIn] [830000000abe587b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ntdll.dll!RtlVirtualUnwind] [ccdf850f00f87f] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ntdll.dll!RtlLookupFunctionEntry] [fc985480f8b4800] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ntdll.dll!RtlCaptureContext] [c783480000025585] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GlobalLock] [57001f943b4e1a14] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetLastError] [dc850f0001] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!lstrlenW] [850fc33b00ebc38b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!CopyFileW] [48088949000000da] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GlobalUnlock] [48c38b0852ff118b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetModuleFileNameW] [20c4834830245c8b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!CreateProcessW] [909090909090c35f] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!CreateEventW] [c10ff000000001b8] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!CloseHandle] [909090c3c0ff2041] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!DisableThreadLibraryCalls] [74c9854890909090] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!Sleep] [4c000142e115ffd9] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!QueryPerformanceCounter] [ffd233c88b48c38b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetTickCount] [c48348000142db15] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetCurrentThreadId] [9090909090c35b20] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetCurrentProcessId] [8348f3ff90909090] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [498b48d98b4820ec] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!TerminateProcess] [d416850fc9854808] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetCurrentProcess] [c483480b8b480000] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!UnhandledExceptionFilter] [1426725ff485b20] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [9090909090909000] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetCommandLineW] [18f480539c033] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GlobalAddAtomW] [90909090c3c0950f] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!HeapFree] [2374c83b48c03338] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GlobalDeleteAtom] [b257840fd03b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetTempPathW] [448b48167501fa83] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!GetProcessHeap] [894c284188442824] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!LocalAlloc] [4800eb2451891049] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[KERNEL32.dll!LocalFree] [d883c01bc3184189] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!SendMessageTimeoutW] [c33b00ebc38b0000] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!FindWindowW] [eb18418d480e75] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!SendMessageCallbackW] [fffffeafe9008949] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!GetSubMenu] [feabe980004002bb] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!CheckMenuItem] [909090909090ffff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!PostMessageW] [9090909090909090] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!LoadStringW] [8b4820ec8348f3ff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!InsertMenuW] [f9834850498b48d9] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!MsgWaitForMultipleObjects] [141f715ff0b74ff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!AllowSetForegroundWindow] [8b48ff504b834800] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!GetWindowThreadProcessId] [ff0b74c98548484b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!DispatchMessageW] [638348000142c315] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!TranslateMessage] [c35b20c483480048] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[USER32.dll!PeekMessageW] [9090909090909090] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[SHLWAPI.dll!PathRemoveFileSpecW] [b38e840fc33b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[SHLWAPI.dll!PathGetArgsW] [57f8973b48128b48] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[SHLWAPI.dll!PathFileExistsW] [4bf850f0001] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[SHLWAPI.dll!PathFindFileNameW] [1f943b4a19148b4b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ole32.dll!CoCreateInstance] [850fc98548404b8b] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ole32.dll!ReleaseStgMedium] [908b8d480000024d] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[SHELL32.dll!DragQueryFileW] [82840f000157e897] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ADVAPI32.dll!GetTokenInformation] [9090909090909090] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ADVAPI32.dll!OpenProcessToken] [9090909090909090] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ADVAPI32.dll!RegOpenKeyExW] [cb8320ec8348f3ff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ADVAPI32.dll!RegQueryValueExW] [c3832059c10ff0ff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ADVAPI32.dll!RegCloseKey] [8b000002ff840fff] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ADVAPI32.dll!RegCreateKeyExW] [90c35b20c48348c3] IAT C:\Windows\Explorer.EXE[1544] @ C:\Program Files\Windows Sidebar\sbdrop.dll[ADVAPI32.dll!RegSetValueExW] [9090909090909090] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef374741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef3745f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef3745674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef3745e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef3747f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef3746a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef3746ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef3747b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef3747ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef37478b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef3744fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef3745d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2672] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef3747584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [204:3552] 000007fefaee2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [204:5816] 000007feef4ad618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [204:5436] 000007fef8f65124 ---- EOF - GMER 2.1 ----