GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-13 13:49:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1 KINGSTON_SV300S37A120G rev.506ABBF0 111,79GB Running: ol8xtel3.exe; Driver: C:\Users\AM\AppData\Local\Temp\uxlcqaoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033ff000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033ff02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\services.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 6 bytes {JMP QWORD [RIP+0x8eceb20]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772715e0 6 bytes {JMP QWORD [RIP+0x8f0ea50]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077271800 6 bytes {JMP QWORD [RIP+0x8eee830]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000772718b0 6 bytes {JMP QWORD [RIP+0x8e8e780]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077271e40 6 bytes {JMP QWORD [RIP+0x8eae1f0]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 6 bytes {JMP QWORD [RIP+0x8f2d850]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007701db80 6 bytes {JMP QWORD [RIP+0x91a24b0]} .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\Dwm.exe[1600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1a9055 3 bytes CALL 9000027 .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 6 bytes {JMP QWORD [RIP+0x8eceb20]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772715e0 6 bytes {JMP QWORD [RIP+0x8f0ea50]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077271800 6 bytes {JMP QWORD [RIP+0x8eee830]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000772718b0 6 bytes {JMP QWORD [RIP+0x8e8e780]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077271e40 6 bytes {JMP QWORD [RIP+0x8eae1f0]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 6 bytes {JMP QWORD [RIP+0x8f2d850]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007701db80 6 bytes {JMP QWORD [RIP+0x91a24b0]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1a9055 3 bytes [B5, 6F, 06] .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\msi.dll!MsiSetInternalUI 000007fef93f5cd0 6 bytes {JMP QWORD [RIP+0x37a360]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\msi.dll!MsiInstallProductA 000007fef9470f20 6 bytes JMP 10003 .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\msi.dll!MsiInstallProductW 000007fef947faa8 6 bytes JMP 37003100 .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007feee007b34 6 bytes {JMP QWORD [RIP+0xf84fc]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007feee0103c0 6 bytes JMP 6c0041 .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW 00000000051f3030 6 bytes {JMP QWORD [RIP+0x5ed000]} .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\WS2_32.dll!connect + 1 00000000051f45c1 5 bytes JMP 0 .text C:\Windows\Explorer.EXE[1628] C:\Windows\system32\WS2_32.dll!listen 00000000051f8290 6 bytes {JMP QWORD [RIP+0x4f7da0]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 6 bytes {JMP QWORD [RIP+0x8eceb20]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772715e0 6 bytes {JMP QWORD [RIP+0x8f0ea50]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077271800 6 bytes {JMP QWORD [RIP+0x8eee830]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000772718b0 6 bytes {JMP QWORD [RIP+0x8e8e780]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077271e40 6 bytes {JMP QWORD [RIP+0x8eae1f0]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 6 bytes {JMP QWORD [RIP+0x8f2d850]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007701db80 6 bytes {JMP QWORD [RIP+0x91a24b0]} .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1a9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe6855c8 6 bytes JMP 19aa68 .text C:\Windows\system32\taskhost.exe[1916] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe69b85c 6 bytes JMP 0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2020] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 6 bytes {JMP QWORD [RIP+0x8eceb20]} .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772715e0 6 bytes {JMP QWORD [RIP+0x8f0ea50]} .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077271800 6 bytes {JMP QWORD [RIP+0x8eee830]} .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000772718b0 6 bytes {JMP QWORD [RIP+0x8e8e780]} .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077271e40 6 bytes {JMP QWORD [RIP+0x8eae1f0]} .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 6 bytes {JMP QWORD [RIP+0x8f2d850]} .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007701db80 6 bytes {JMP QWORD [RIP+0x91a24b0]} .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Program Files\Zune\ZuneLauncher.exe[1176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1a9055 3 bytes CALL 9000027 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007741fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007741fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007741fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007741fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774200b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774200b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774201c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774201c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077420a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077420a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077421920 3 bytes JMP 7181000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077421924 2 bytes JMP 7181000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753c3bbb 3 bytes JMP 717e000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753c3bbf 2 bytes JMP 717e000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075262c91 4 bytes CALL 71af0000 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076ac8e4e 5 bytes JMP 000000016c02c350 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076ac9679 6 bytes JMP 719f000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076ad0dfb 5 bytes JMP 000000016c02c2e0 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ad12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076ad2175 5 bytes JMP 000000016c02c330 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000076ad3208 5 bytes JMP 000000016c02c3a0 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ad3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ad612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076ad7b3b 5 bytes JMP 000000016c02c240 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000076aef170 5 bytes JMP 000000016c02c210 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SendInput 0000000076aeff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076aeff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 0000000076b090fc 5 bytes JMP 000000016c02c270 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b2027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b202bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 0000000076b27d97 5 bytes JMP 000000016c02c290 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755770c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075593264 6 bytes JMP 7196000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\ole32.dll!DoDragDrop 0000000076a5a827 5 bytes JMP 000000016c02c1f0 .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007690575a 6 bytes JMP 7175000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\WS2_32.dll!connect 0000000076906bdd 6 bytes JMP 717b000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\WS2_32.dll!listen 000000007690b001 6 bytes JMP 7178000a .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\Origin\Origin.exe[1224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074931a22 2 bytes [93, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074931ad0 2 bytes [93, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074931b08 2 bytes [93, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074931bba 2 bytes [93, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074931bda 2 bytes [93, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[1876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007741fc20 3 bytes JMP 717a000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007741fc24 2 bytes JMP 717a000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007741fd64 3 bytes JMP 7174000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007741fd68 2 bytes JMP 7174000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774200b4 3 bytes JMP 7177000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774200b8 2 bytes JMP 7177000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774201c4 3 bytes JMP 7180000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774201c8 2 bytes JMP 7180000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077420a44 3 bytes JMP 717d000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077420a48 2 bytes JMP 717d000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077421920 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077421924 2 bytes [70, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753c3bbb 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753c3bbf 2 bytes [6D, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075262c91 4 bytes CALL 71af0000 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076ac9679 6 bytes JMP 718f000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ad12a5 6 bytes JMP 7189000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ad3baa 6 bytes JMP 718c000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ad612e 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!SendInput 0000000076aeff4a 3 bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076aeff4e 2 bytes [95, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b2027b 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b202bf 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755770c4 6 bytes {JMP QWORD [RIP+0x7182001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075593264 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007690575a 6 bytes JMP 719f000a .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\WS2_32.dll!connect 0000000076906bdd 6 bytes {JMP QWORD [RIP+0x71a4001e]} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\WS2_32.dll!listen 000000007690b001 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 6 bytes {JMP QWORD [RIP+0x8eceb20]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772715e0 6 bytes {JMP QWORD [RIP+0x8f0ea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077271800 6 bytes {JMP QWORD [RIP+0x8eee830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000772718b0 6 bytes {JMP QWORD [RIP+0x8e8e780]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077271e40 6 bytes {JMP QWORD [RIP+0x8eae1f0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 6 bytes {JMP QWORD [RIP+0x8f2d850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1a9055 3 bytes [B5, 6F, 06] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\system32\ws2_32.dll!WSALookupServiceBeginW 0000000000dc3030 6 bytes {JMP QWORD [RIP+0x1a45d000]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\system32\ws2_32.dll!connect + 1 0000000000dc45c1 5 bytes {JMP QWORD [RIP+0x2fba70]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2392] C:\Windows\system32\ws2_32.dll!listen 0000000000dc8290 6 bytes {JMP QWORD [RIP+0x19c37da0]} .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[2784] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[2784] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000773d1465 2 bytes [3D, 77] .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[2784] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000773d14bb 2 bytes [3D, 77] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 6 bytes {JMP QWORD [RIP+0x8eceb20]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772715e0 6 bytes {JMP QWORD [RIP+0x8f0ea50]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077271800 6 bytes {JMP QWORD [RIP+0x8eee830]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000772718b0 6 bytes {JMP QWORD [RIP+0x8e8e780]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077271e40 6 bytes {JMP QWORD [RIP+0x8eae1f0]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 6 bytes {JMP QWORD [RIP+0x8f2d850]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1468] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1a9055 3 bytes [B5, 6F, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[2864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007741fc20 3 bytes JMP 717e000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007741fc24 2 bytes JMP 717e000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007741fd64 3 bytes JMP 7178000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007741fd68 2 bytes JMP 7178000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774200b4 3 bytes JMP 717b000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774200b8 2 bytes JMP 717b000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774201c4 3 bytes JMP 7184000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774201c8 2 bytes JMP 7184000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077420a44 3 bytes JMP 7181000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077420a48 2 bytes JMP 7181000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077421920 3 bytes JMP 7175000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077421924 2 bytes JMP 7175000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753c3bbb 3 bytes JMP 7172000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753c3bbf 2 bytes JMP 7172000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075262c91 4 bytes CALL 71af0000 .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000076ac9679 6 bytes JMP 7196000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000076ad12a5 6 bytes JMP 7190000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000076ad3baa 6 bytes JMP 7193000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!SendMessageA 0000000076ad612e 6 bytes JMP 7199000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!SendInput 0000000076aeff4a 3 bytes JMP 719c000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!SendInput + 4 0000000076aeff4e 2 bytes JMP 719c000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!mouse_event 0000000076b2027b 6 bytes JMP 71a2000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\user32.DLL!keybd_event 0000000076b202bf 6 bytes JMP 719f000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755770c4 6 bytes JMP 7187000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075593264 6 bytes JMP 718a000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007690575a 6 bytes JMP 71a5000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\WS2_32.dll!connect 0000000076906bdd 6 bytes JMP 71ab000a .text C:\Program Files (x86)\iPlus\iPlusManager.exe[1364] C:\Windows\syswow64\WS2_32.dll!listen 000000007690b001 6 bytes JMP 71a8000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007741fc20 3 bytes JMP 718a000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007741fc24 2 bytes JMP 718a000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007741fd64 3 bytes JMP 7184000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007741fd68 2 bytes JMP 7184000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774200b4 3 bytes JMP 7187000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774200b8 2 bytes JMP 7187000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774201c4 3 bytes JMP 7190000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774201c8 2 bytes JMP 7190000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077420a44 3 bytes JMP 718d000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077420a48 2 bytes JMP 718d000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077421920 3 bytes JMP 7181000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077421924 2 bytes JMP 7181000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753c3bbb 3 bytes JMP 717e000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753c3bbf 2 bytes JMP 717e000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075262c91 4 bytes CALL 71af0000 .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076ac9679 6 bytes JMP 719f000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ad12a5 6 bytes JMP 7199000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ad3baa 6 bytes JMP 719c000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ad612e 6 bytes JMP 71a2000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!SendInput 0000000076aeff4a 3 bytes JMP 71a5000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076aeff4e 2 bytes JMP 71a5000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b2027b 6 bytes JMP 71ab000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b202bf 6 bytes JMP 71a8000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755770c4 6 bytes JMP 7193000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075593264 6 bytes JMP 7196000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 000000007690575a 6 bytes JMP 7175000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\WS2_32.dll!connect 0000000076906bdd 6 bytes JMP 717b000a .text C:\Program Files (x86)\FindRight\bin\FindRight.BrowserAdapter.exe[4256] C:\Windows\syswow64\WS2_32.dll!listen 000000007690b001 6 bytes JMP 7178000a .text C:\Program Files (x86)\FindRight\updateFindRight.exe[5076] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe[3908] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077271510 6 bytes {JMP QWORD [RIP+0x8eceb20]} .text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772715e0 6 bytes {JMP QWORD [RIP+0x8f0ea50]} .text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077271800 6 bytes {JMP QWORD [RIP+0x8eee830]} .text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000772718b0 6 bytes {JMP QWORD [RIP+0x8e8e780]} .text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077271e40 6 bytes {JMP QWORD [RIP+0x8eae1f0]} .text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772727e0 6 bytes {JMP QWORD [RIP+0x8f2d850]} .text C:\Windows\notepad.exe[4856] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007701db80 6 bytes {JMP QWORD [RIP+0x91a24b0]} .text C:\Windows\notepad.exe[4856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705ef8d 1 byte [62] .text C:\Windows\notepad.exe[4856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd1a9055 3 bytes CALL 9000027 .text C:\Windows\notepad.exe[4856] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007feee007b34 6 bytes {JMP QWORD [RIP+0x884fc]} .text C:\Windows\notepad.exe[4856] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007feee0103c0 6 bytes {JMP QWORD [RIP+0x9fc70]} .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007741fc20 3 bytes JMP 718a000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007741fc24 2 bytes JMP 718a000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007741fd64 3 bytes JMP 7184000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007741fd68 2 bytes JMP 7184000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774200b4 3 bytes JMP 7187000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774200b8 2 bytes JMP 7187000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774201c4 3 bytes JMP 7190000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774201c8 2 bytes JMP 7190000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077420a44 3 bytes JMP 718d000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077420a48 2 bytes JMP 718d000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077421920 3 bytes JMP 7181000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077421924 2 bytes JMP 7181000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000753c3bbb 3 bytes JMP 717e000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 00000000753c3bbf 2 bytes JMP 717e000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000753da2fd 1 byte [62] .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075262c91 4 bytes CALL 71af0000 .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076ac9679 6 bytes JMP 719f000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000076ad12a5 6 bytes JMP 7199000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076ad3baa 6 bytes JMP 719c000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000076ad612e 6 bytes JMP 71a2000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!SendInput 0000000076aeff4a 3 bytes JMP 71a5000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000076aeff4e 2 bytes JMP 71a5000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!mouse_event 0000000076b2027b 6 bytes JMP 71ab000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076b202bf 6 bytes JMP 71a8000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000755770c4 6 bytes JMP 7193000a .text C:\Users\AM\Desktop\ol8xtel3.exe[4852] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000075593264 6 bytes JMP 7196000a ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d060168 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d060168@6ce907264c32 0x0E 0x52 0x0E 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d060168@30196648e5eb 0x95 0x4A 0x81 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000b0d060168@30766f769d0f 0x39 0xDE 0x06 0xBC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d060168 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d060168@6ce907264c32 0x0E 0x52 0x0E 0x75 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d060168@30196648e5eb 0x95 0x4A 0x81 0x5F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000b0d060168@30766f769d0f 0x39 0xDE 0x06 0xBC ... ---- EOF - GMER 2.1 ----