GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-01 18:51:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: pdpl130u.exe; Driver: C:\Users\Malin\AppData\Local\Temp\pxrcruow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1608] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1740] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1740] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1948] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1948] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1948] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076805ea5 5 bytes JMP 0000000172903a00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076839d0b 5 bytes JMP 0000000172903990 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2588] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2588] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2588] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2612] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2612] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2612] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2640] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2640] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2640] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2712] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2712] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2712] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2916] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2916] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2916] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3256] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3256] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3256] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076805ea5 5 bytes JMP 0000000172903a00 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076839d0b 5 bytes JMP 0000000172903990 .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[3860] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[3860] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[3860] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076805ea5 5 bytes JMP 0000000172903a00 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076839d0b 5 bytes JMP 0000000172903990 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3916] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3916] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3916] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 ? C:\windows\system32\mssprxy.dll [3916] entry point in ".rdata" section 00000000732571e6 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\fst_pl_186\fst_pl_186.exe[4664] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4320] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4320] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4320] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4568] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4568] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4568] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076805ea5 5 bytes JMP 0000000172903a00 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076839d0b 5 bytes JMP 0000000172903990 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[4596] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6400] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6400] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6400] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[3784] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[3784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[3784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6468] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6468] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6468] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\kernel32.dll!CreateFileW 00000000766a3f3c 4 bytes JMP 0000000162779970 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!SetWindowPos 0000000076aa8e4e 5 bytes JMP 0000000162779120 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!ShowWindow 0000000076ab0dfb 5 bytes JMP 00000001627790b0 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!SetFocus 0000000076ab2175 5 bytes JMP 0000000162779100 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!SetActiveWindow 0000000076ab3208 5 bytes JMP 0000000162779170 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!BringWindowToTop 0000000076ab7b3b 5 bytes JMP 0000000162779010 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!SetForegroundWindow 0000000076acf170 5 bytes JMP 0000000162778fe0 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!SwitchToThisWindow 0000000076ae90fc 5 bytes JMP 0000000162779040 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\USER32.dll!ShowWindowAsync 0000000076b07d97 5 bytes JMP 0000000162779060 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\ole32.dll!DoDragDrop 00000000768fa827 5 bytes JMP 0000000162778fc0 .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Origin\Origin.exe[6708] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076805ea5 5 bytes JMP 0000000172903a00 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076839d0b 5 bytes JMP 0000000172903990 .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe[3868] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[6108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[3676] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000766a4913 5 bytes JMP 0000000172de43d0 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[3676] C:\windows\syswow64\kernel32.dll!LoadLibraryA 00000000766a49bf 5 bytes JMP 0000000172de4200 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[3676] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[3676] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[3676] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000766a4913 5 bytes JMP 0000000172de43d0 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!LoadLibraryA 00000000766a49bf 5 bytes JMP 0000000172de4200 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076805ea5 5 bytes JMP 0000000172903a00 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000076839d0b 5 bytes JMP 0000000172903990 .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\ProgramData\BitGuard\2.7.1832.68\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[6328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3944] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[3944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000766a1f2e 7 bytes JMP 0000000172904b10 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000766a5bcd 7 bytes JMP 00000001729054b0 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000766b1429 7 bytes JMP 0000000172904e50 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000766bea5d 7 bytes JMP 0000000172904b00 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767488f4 7 bytes JMP 00000001729045c0 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076748979 5 bytes JMP 0000000172904670 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076748ccf 5 bytes JMP 00000001729045d0 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000767b1d1b 5 bytes JMP 0000000172904580 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000767b1dc9 5 bytes JMP 0000000172904540 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000767b2aa4 5 bytes JMP 0000000172904680 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000767b2d0a 5 bytes JMP 0000000172904360 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007724e9a2 5 bytes JMP 0000000172903b60 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007724ebdc 5 bytes JMP 0000000172903b80 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000076aa8a29 5 bytes JMP 0000000172903a40 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076ab4572 5 bytes JMP 00000001729042e0 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076accfca 5 bytes JMP 0000000172dd7440 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076ace567 5 bytes JMP 0000000172904350 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076af07d7 5 bytes JMP 0000000172903850 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076b07a5c 5 bytes JMP 00000001729042d0 .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077b41465 2 bytes [B4, 77] .text C:\Users\Malin\Downloads\pdpl130u.exe[5252] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077b414bb 2 bytes [B4, 77] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\448500035e34 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c485080d6f50 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c485080d6f50@a07591263125 0x0B 0xD8 0x6A 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c485080d6f50@1883315422f7 0xEE 0x1A 0x5E 0x6B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\448500035e34 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c485080d6f50 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c485080d6f50@a07591263125 0x0B 0xD8 0x6A 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c485080d6f50@1883315422f7 0xEE 0x1A 0x5E 0x6B ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----