GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-12 11:44:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.MS1O 465,76GB Running: z3ox09o0.exe; Driver: C:\Users\Admin\AppData\Local\Temp\axldrpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033fe000 65 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800033fe042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076d41310 5 bytes JMP 0000000076eb0bf8 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076d41330 5 bytes JMP 0000000076eb0e68 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d413a0 5 bytes JMP 0000000076ea0ac0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076d413e0 5 bytes JMP 0000000076eb0238 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076d41420 5 bytes JMP 0000000076eb04a8 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076d41480 5 bytes JMP 0000000076ea0bf8 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076d41520 5 bytes JMP 0000000076eb0d30 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076d415d0 5 bytes JMP 0000000076eb0100 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d415e0 5 bytes JMP 0000000076eb0ac0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d41650 5 bytes JMP 0000000076eb0fa0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d41670 5 bytes JMP 0000000076ea0fa0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d41800 5 bytes JMP 0000000076eb0850 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076d418b0 5 bytes JMP 0000000076eb05e0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076d41e00 5 bytes JMP 0000000076eb0988 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076d41e10 5 bytes JMP 0000000076ea0d30 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076d41e40 5 bytes JMP 0000000076ea0e68 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d420a0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076d424e0 1 byte JMP 0000000076eb0370 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076d424e2 3 bytes {JMP 0x16de90} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d427e0 5 bytes JMP 0000000076ec0100 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076d42b30 5 bytes JMP 0000000076eb0718 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076ade390 5 bytes JMP 0000000076ea04a8 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076adead0 5 bytes JMP 0000000076ea0370 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076adf9f0 5 bytes JMP 0000000076ea0718 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ae23d0 5 bytes JMP 0000000076ea05e0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076af3140 5 bytes JMP 0000000076ea0238 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076b1bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076b1c510 5 bytes JMP 0000000076ea0850 .text C:\Windows\system32\lsm.exe[632] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076b5f6c0 5 bytes JMP 0000000076ea0988 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe7b13b0 5 bytes JMP 000007fefe830ac0 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe7b18e0 5 bytes JMP 000007fefe830d30 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe7b2200 5 bytes JMP 000007fefe830850 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!connect 000007fefe7b45c0 5 bytes JMP 000007fefe830100 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!send 000007fefe7b8000 5 bytes JMP 000007fefe8304a8 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!sendto 000007fefe7bd7f0 5 bytes JMP 000007fefe8305e0 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!recv 000007fefe7bdf40 5 bytes JMP 000007fefe830238 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe7beb90 5 bytes JMP 000007fefe830370 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe7bed50 5 bytes JMP 000007fefe830bf8 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe7de0f0 5 bytes JMP 000007fefe830718 .text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe7de6c0 5 bytes JMP 000007fefe830988 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe7b13b0 5 bytes JMP 000007fefe830ac0 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe7b18e0 5 bytes JMP 000007fefe830d30 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe7b2200 5 bytes JMP 000007fefe830850 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!connect 000007fefe7b45c0 5 bytes JMP 000007fefe830100 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!send 000007fefe7b8000 5 bytes JMP 000007fefe8304a8 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!sendto 000007fefe7bd7f0 5 bytes JMP 000007fefe8305e0 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!recv 000007fefe7bdf40 5 bytes JMP 000007fefe830238 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe7beb90 5 bytes JMP 000007fefe830370 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe7bed50 5 bytes JMP 000007fefe830bf8 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe7de0f0 5 bytes JMP 000007fefe830718 .text C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe[2100] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe7de6c0 5 bytes JMP 000007fefe830988 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750534b5 5 bytes JMP 0000000100470594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075053918 5 bytes JMP 0000000100470c6c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075054406 5 bytes JMP 0000000100470a24 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!recv 0000000075056b0e 5 bytes JMP 0000000100470228 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!connect 0000000075056bdd 5 bytes JMP 0000000100470104 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!send 0000000075056f01 5 bytes JMP 0000000100470470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075057089 5 bytes JMP 00000001004707dc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007505b6dc 5 bytes JMP 000000010047034c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007505cba6 5 bytes JMP 0000000100470900 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007505cc3f 5 bytes JMP 00000001004706b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007506b30c 5 bytes JMP 0000000100470b48 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a01465 2 bytes [A0, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a014bb 2 bytes [A0, 76] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe7b13b0 5 bytes JMP 000007fefe830ac0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe7b18e0 5 bytes JMP 000007fefe830d30 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe7b2200 5 bytes JMP 000007fefe830850 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!connect 000007fefe7b45c0 5 bytes JMP 000007fefe830100 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!send 000007fefe7b8000 5 bytes JMP 000007fefe8304a8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!sendto 000007fefe7bd7f0 5 bytes JMP 000007fefe8305e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!recv 000007fefe7bdf40 5 bytes JMP 000007fefe830238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe7beb90 5 bytes JMP 000007fefe830370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe7bed50 5 bytes JMP 000007fefe830bf8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe7de0f0 5 bytes JMP 000007fefe830718 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe7de6c0 5 bytes JMP 000007fefe830988 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076d41310 5 bytes JMP 0000000076ed0bf8 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076d41330 5 bytes JMP 0000000076ed0e68 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d413a0 5 bytes JMP 0000000076ea0ac0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076d413e0 5 bytes JMP 0000000076ed0238 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076d41420 5 bytes JMP 0000000076ed04a8 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076d41480 5 bytes JMP 0000000076ea0bf8 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076d41520 5 bytes JMP 0000000076ed0d30 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076d415d0 5 bytes JMP 0000000076ed0100 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d415e0 5 bytes JMP 0000000076ed0ac0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d41650 5 bytes JMP 0000000076ed0fa0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d41670 5 bytes JMP 0000000076ea0fa0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d41800 5 bytes JMP 0000000076ed0850 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076d418b0 5 bytes JMP 0000000076ed05e0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076d41e00 5 bytes JMP 0000000076ed0988 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076d41e10 5 bytes JMP 0000000076ea0d30 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076d41e40 5 bytes JMP 0000000076ea0e68 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d420a0 5 bytes JMP 0000000076ee0238 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076d424e0 1 byte JMP 0000000076ed0370 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076d424e2 3 bytes {JMP 0x18de90} .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d427e0 5 bytes JMP 0000000076ee0100 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076d42b30 5 bytes JMP 0000000076ed0718 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076ade390 5 bytes JMP 0000000076ea04a8 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076adead0 5 bytes JMP 0000000076ea0370 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076adf9f0 5 bytes JMP 0000000076ea0718 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ae23d0 5 bytes JMP 0000000076ea05e0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076af3140 5 bytes JMP 0000000076ea0238 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076b1bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076b1c510 5 bytes JMP 0000000076ea0850 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076b5f6c0 5 bytes JMP 0000000076ea0988 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefeaf9980 5 bytes JMP 000007fefef904a8 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefeafa4c4 5 bytes JMP 000007fefef90370 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!StartServiceW 000007fefed99400 5 bytes JMP 000007fefef80fa0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007fefed9e810 5 bytes JMP 000007fefef80d30 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!OpenServiceA 000007fefedaa30c 5 bytes JMP 000007fefef80bf8 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007fefedaadc4 5 bytes JMP 000007fefef805e0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefedb55c8 5 bytes JMP 000007fefef80988 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!DeleteService 000007fefedb5654 5 bytes JMP 000007fefef80ac0 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!ControlService 000007fefedb5668 5 bytes JMP 000007fefef80718 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!StartServiceA + 1 000007fefedcb321 4 bytes {JMP 0x1b5b48} .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefedcb85c 5 bytes JMP 000007fefef80850 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefedcb9d0 5 bytes JMP 000007fefef80238 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefedcba3c 5 bytes JMP 000007fefef80100 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfig2W + 1 000007fefedcbaa9 4 bytes {JMP 0x1b4a00} .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfig2A + 1 000007fefedcbab5 4 bytes {JMP 0x1b48bc} .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!LsaRemoveAccountRights 000007fefedd9510 5 bytes JMP 000007fefef90238 .text C:\Windows\system32\taskhost.exe[1488] C:\Windows\system32\ADVAPI32.dll!LsaAddAccountRights 000007fefedd9580 5 bytes JMP 000007fefef90100 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076d41310 5 bytes JMP 0000000076eb0bf8 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076d41330 5 bytes JMP 0000000076eb0e68 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d413a0 5 bytes JMP 0000000076ea0ac0 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076d413e0 5 bytes JMP 0000000076eb0238 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076d41420 5 bytes JMP 0000000076eb04a8 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076d41480 5 bytes JMP 0000000076ea0bf8 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076d41520 5 bytes JMP 0000000076eb0d30 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076d415d0 5 bytes JMP 0000000076eb0100 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d415e0 5 bytes JMP 0000000076eb0ac0 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d41650 5 bytes JMP 0000000076eb0fa0 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d41670 5 bytes JMP 0000000076ea0fa0 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d41800 5 bytes JMP 0000000076eb0850 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076d418b0 5 bytes JMP 0000000076eb05e0 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076d41e00 5 bytes JMP 0000000076eb0988 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076d41e10 5 bytes JMP 0000000076ea0d30 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076d41e40 5 bytes JMP 0000000076ea0e68 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d420a0 5 bytes JMP 0000000076ec0238 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076d424e0 1 byte JMP 0000000076eb0370 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076d424e2 3 bytes {JMP 0x16de90} .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d427e0 5 bytes JMP 0000000076ec0100 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076d42b30 5 bytes JMP 0000000076eb0718 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076ade390 5 bytes JMP 0000000076ea04a8 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076adead0 5 bytes JMP 0000000076ea0370 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076adf9f0 5 bytes JMP 0000000076ea0718 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ae23d0 5 bytes JMP 0000000076ea05e0 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076af3140 5 bytes JMP 0000000076ea0238 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076b1bca1 4 bytes {JMP 0x384460} .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076b1c510 5 bytes JMP 0000000076ea0850 .text C:\Windows\system32\Dwm.exe[2236] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076b5f6c0 5 bytes JMP 0000000076ea0988 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000076d41310 5 bytes JMP 0000000076ed0bf8 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000076d41330 5 bytes JMP 0000000076ed0e68 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d413a0 5 bytes JMP 0000000076ea0ac0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 0000000076d413e0 5 bytes JMP 0000000076ed0238 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000076d41420 5 bytes JMP 0000000076ed04a8 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000076d41480 5 bytes JMP 0000000076ea0bf8 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000076d41520 5 bytes JMP 0000000076ed0d30 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 0000000076d415d0 5 bytes JMP 0000000076ed0100 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d415e0 5 bytes JMP 0000000076ed0ac0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d41650 5 bytes JMP 0000000076ed0fa0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d41670 5 bytes JMP 0000000076ea0fa0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d41800 5 bytes JMP 0000000076ed0850 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 0000000076d418b0 5 bytes JMP 0000000076ed05e0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000076d41e00 5 bytes JMP 0000000076ed0988 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000076d41e10 5 bytes JMP 0000000076ea0d30 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000076d41e40 5 bytes JMP 0000000076ea0e68 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d420a0 5 bytes JMP 0000000076ee0238 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 0000000076d424e0 1 byte JMP 0000000076ed0370 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey + 2 0000000076d424e2 3 bytes {JMP 0x18de90} .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d427e0 5 bytes JMP 0000000076ee0100 .text C:\Windows\Explorer.EXE[2584] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000076d42b30 5 bytes JMP 0000000076ed0718 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!MapViewOfFile 0000000076ade390 5 bytes JMP 0000000076ea04a8 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!CreateFileMappingA 0000000076adead0 5 bytes JMP 0000000076ea0370 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!CreateFileMappingW 0000000076adf9f0 5 bytes JMP 0000000076ea0718 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076ae23d0 5 bytes JMP 0000000076ea05e0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000076af3140 5 bytes JMP 0000000076ea0238 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!TerminateProcess + 1 0000000076b1bca1 4 bytes {JMP 0x384460} .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!CreateRemoteThread 0000000076b1c510 5 bytes JMP 0000000076ea0850 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076b5f6c0 5 bytes JMP 0000000076ea0988 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefeaf9980 5 bytes JMP 000007fefef904a8 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefeafa4c4 5 bytes JMP 000007fefef90370 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe7b13b0 5 bytes JMP 000007fefef90fa0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe7b18e0 5 bytes JMP 000007fefecf0238 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe7b2200 5 bytes JMP 000007fefef90d30 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!connect 000007fefe7b45c0 5 bytes JMP 000007fefef905e0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!send 000007fefe7b8000 5 bytes JMP 000007fefef90988 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!sendto 000007fefe7bd7f0 5 bytes JMP 000007fefef90ac0 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!recv 000007fefe7bdf40 5 bytes JMP 000007fefef90718 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe7beb90 5 bytes JMP 000007fefef90850 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe7bed50 5 bytes JMP 000007fefecf0100 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe7de0f0 5 bytes JMP 000007fefef90bf8 .text C:\Windows\Explorer.EXE[2584] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe7de6c0 5 bytes JMP 000007fefef90e68 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750534b5 5 bytes JMP 0000000102e20594 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075053918 5 bytes JMP 0000000102e20c6c .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075054406 5 bytes JMP 0000000102e20a24 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!recv 0000000075056b0e 5 bytes JMP 0000000102e20228 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!connect 0000000075056bdd 5 bytes JMP 0000000102e20104 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!send 0000000075056f01 5 bytes JMP 0000000102e20470 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075057089 5 bytes JMP 0000000102e207dc .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007505b6dc 5 bytes JMP 0000000102e2034c .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007505cba6 5 bytes JMP 0000000102e20900 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007505cc3f 5 bytes JMP 0000000102e206b8 .text C:\Program Files (x86)\Xerox Scan To PC Desktop 11\PaperPort12\xdcla.exe[3248] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007506b30c 5 bytes JMP 0000000102e20b48 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert 0000000076d42ac0 6 bytes [48, B8, 25, 00, 28, 00] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\SYSTEM32\ntdll.dll!NtTestAlert + 8 0000000076d42ac8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!WSASend 000007fefe7b13b0 5 bytes JMP 000007fefe830ac0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!closesocket 000007fefe7b18e0 5 bytes JMP 000007fefe830d30 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefe7b2200 5 bytes JMP 000007fefe830850 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!connect 000007fefe7b45c0 5 bytes JMP 000007fefe830100 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!send 000007fefe7b8000 5 bytes JMP 000007fefe8304a8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!sendto 000007fefe7bd7f0 5 bytes JMP 000007fefe8305e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!recv 000007fefe7bdf40 5 bytes JMP 000007fefe830238 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefe7beb90 5 bytes JMP 000007fefe830370 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefe7bed50 5 bytes JMP 000007fefe830bf8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefe7de0f0 5 bytes JMP 000007fefe830718 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3264] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefe7de6c0 5 bytes JMP 000007fefe830988 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750534b5 5 bytes JMP 0000000100320594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075053918 5 bytes JMP 0000000100320c6c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075054406 5 bytes JMP 0000000100320a24 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!recv 0000000075056b0e 5 bytes JMP 0000000100320228 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!connect 0000000075056bdd 5 bytes JMP 0000000100320104 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!send 0000000075056f01 5 bytes JMP 0000000100320470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075057089 5 bytes JMP 00000001003207dc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007505b6dc 5 bytes JMP 000000010032034c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007505cba6 5 bytes JMP 0000000100320900 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007505cc3f 5 bytes JMP 00000001003206b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5860] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007506b30c 5 bytes JMP 0000000100320b48 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750534b5 5 bytes JMP 00000001004e0594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075053918 5 bytes JMP 00000001004e0c6c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075054406 5 bytes JMP 00000001004e0a24 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!recv 0000000075056b0e 5 bytes JMP 00000001004e0228 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!connect 0000000075056bdd 5 bytes JMP 00000001004e0104 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!send 0000000075056f01 5 bytes JMP 00000001004e0470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075057089 5 bytes JMP 00000001004e07dc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007505b6dc 5 bytes JMP 00000001004e034c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007505cba6 5 bytes JMP 00000001004e0900 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007505cc3f 5 bytes JMP 00000001004e06b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3624] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007506b30c 5 bytes JMP 00000001004e0b48 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750534b5 5 bytes JMP 00000001008d0594 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075053918 5 bytes JMP 00000001008d0c6c .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075054406 5 bytes JMP 00000001008d0a24 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!recv 0000000075056b0e 5 bytes JMP 00000001008d0228 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!connect 0000000075056bdd 5 bytes JMP 00000001008d0104 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!send 0000000075056f01 5 bytes JMP 00000001008d0470 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075057089 5 bytes JMP 00000001008d07dc .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007505b6dc 5 bytes JMP 00000001008d034c .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007505cba6 5 bytes JMP 00000001008d0900 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007505cc3f 5 bytes JMP 00000001008d06b8 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007506b30c 5 bytes JMP 00000001008d0b48 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a01465 2 bytes [A0, 76] .text C:\Program Files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe[192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a014bb 2 bytes [A0, 76] .text ... * 2 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076a01465 2 bytes [A0, 76] .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000076a014bb 2 bytes [A0, 76] .text ... * 2 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!sendto 00000000750534b5 5 bytes JMP 0000000103040594 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075053918 5 bytes JMP 0000000103040c6c .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075054406 5 bytes JMP 0000000103040a24 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!recv 0000000075056b0e 5 bytes JMP 0000000103040228 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!connect 0000000075056bdd 5 bytes JMP 0000000103040104 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!send 0000000075056f01 5 bytes JMP 0000000103040470 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075057089 5 bytes JMP 00000001030407dc .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!recvfrom 000000007505b6dc 5 bytes JMP 000000010304034c .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 000000007505cba6 5 bytes JMP 0000000103040900 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!WSAConnect 000000007505cc3f 5 bytes JMP 00000001030406b8 .text C:\Users\Admin\Downloads\OTL.exe[3684] C:\Windows\syswow64\WS2_32.dll!WSASendTo 000000007506b30c 5 bytes JMP 0000000103040b48 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [976:980] 0000000000404b9c Thread C:\Windows\SysWOW64\ntdll.dll [976:116] 0000000000401c80 Thread C:\Windows\SysWOW64\ntdll.dll [976:120] 0000000000402070 Thread C:\Windows\SysWOW64\ntdll.dll [1156:1096] 0000000000c8975e Thread C:\Windows\SysWOW64\ntdll.dll [2764:2776] 0000000010d94365 Thread C:\Windows\SysWOW64\ntdll.dll [2764:2340] 000000003d3ec910 Thread C:\Windows\SysWOW64\ntdll.dll [2764:2228] 000000000802a770 Thread C:\Windows\SysWOW64\ntdll.dll [2764:2636] 0000000008017bd0 Thread C:\Windows\SysWOW64\ntdll.dll [2764:2548] 00000000080166e0 Thread C:\Windows\SysWOW64\ntdll.dll [2764:3748] 00000000027d24c0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2884] 000000002a01bff0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2444] 000000002a016410 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2864] 000000002a00e0a0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2844] 000000002a0038e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2912] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2900] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2920] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2908] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2928] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2916] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:3036] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2924] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:3060] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2432] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:1520] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2056] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2052] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2064] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2072] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2060] 000000002a00c7e0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2076] 000000002a00d0a0 Thread C:\Windows\SysWOW64\ntdll.dll [2888:2068] 000000002a014aa0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2520] 000000002b01ac01 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2936] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2932] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2940] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2944] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2952] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2948] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2960] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2956] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2968] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2964] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2976] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2972] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2984] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2980] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:2992] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:3004] 000000002b00c9c0 Thread C:\Windows\SysWOW64\ntdll.dll [2516:3016] 000000002b00d480 Thread C:\Windows\SysWOW64\ntdll.dll [2516:4012] 000000002b002d70 Thread C:\Windows\SysWOW64\ntdll.dll [2516:3148] 000000002b00b170 ---- EOF - GMER 2.1 ----