GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-10 22:46:46 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-08M2NA0 rev.01.01A01 931,51GB Running: xsz7gsln.exe; Driver: C:\Users\DAMNSL~1\AppData\Local\Temp\uwliypog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000176f80128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000176f80018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3972] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 0000000076f800a0 .text C:\Windows\system32\sppsvc.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\sppsvc.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\sppsvc.exe[4300] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\system32\WUDFHost.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\WUDFHost.exe[4496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\WUDFHost.exe[4496] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\system32\SearchIndexer.exe[228] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\SearchIndexer.exe[228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\SearchIndexer.exe[228] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\system32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000176f80128 .text C:\Windows\system32\svchost.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000176f80018 .text C:\Windows\system32\svchost.exe[5404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 0000000076f800a0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[5648] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[5648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[5648] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000176f80128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000176f80018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4976] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 0000000076f800a0 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[5744] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[5744] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe[6152] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe[6152] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe[6152] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe[6304] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe[6304] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe[6304] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Windows\system32\conhost.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\conhost.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\conhost.exe[5704] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000176f80128 .text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000176f80018 .text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 0000000076f800a0 .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe[2432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\winlogon.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\winlogon.exe[7572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\winlogon.exe[7572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\system32\atieclxx.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\atieclxx.exe[2548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\atieclxx.exe[2548] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\system32\taskhost.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\taskhost.exe[5708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\taskhost.exe[5708] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ASUS\GPU Tweak\2dpainting.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\system32\Dwm.exe[7472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\system32\Dwm.exe[7472] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\Explorer.EXE[6088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Windows\Explorer.EXE[6088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Windows\Explorer.EXE[6088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000103bd9090 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[116] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000102a99090 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[3936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5060] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Windows\SysWOW64\ctfmon.exe[7424] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Windows\SysWOW64\ctfmon.exe[7424] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Windows\SysWOW64\ctfmon.exe[7424] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000100d79090 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000100549090 .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\system\rads_user_kernel.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000102789090 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_launcher\releases\0.0.0.238\deploy\LoLLauncher.exe[6440] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000764cd03c 5 bytes [33, C0, C2, 04, 00] .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 00000001005d9090 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_patcher\releases\0.0.0.22\deploy\LoLPatcher.exe[5072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text D:\Gry\LeagueOfLegends\RADS\projects\lol_air_client\releases\0.0.1.131\deploy\LolClient.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_air_client\releases\0.0.1.131\deploy\LolClient.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_air_client\releases\0.0.1.131\deploy\LolClient.exe[3392] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text D:\Gry\LeagueOfLegends\RADS\projects\lol_air_client\releases\0.0.1.131\deploy\LolClient.exe[3392] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000102859090 ? C:\Windows\system32\mssprxy.dll [3392] entry point in ".rdata" section 00000000749971e6 .text D:\Steam\Steam.exe[5588] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text D:\Steam\Steam.exe[5588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000106eb9090 .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text D:\Steam\Steam.exe[5588] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076101401 2 bytes JMP 764deb26 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076101419 2 bytes JMP 764eb513 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076101431 2 bytes JMP 76568609 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007610144a 2 bytes CALL 764c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761014dd 2 bytes JMP 76567efe C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761014f5 2 bytes JMP 765680d8 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007610150d 2 bytes JMP 76567df4 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076101525 2 bytes JMP 765681c2 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007610153d 2 bytes JMP 764df088 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076101555 2 bytes JMP 764eb885 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007610156d 2 bytes JMP 765686c1 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076101585 2 bytes JMP 76568222 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007610159d 2 bytes JMP 76567db8 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761015b5 2 bytes JMP 764df121 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761015cd 2 bytes JMP 764eb29f C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761016b2 2 bytes JMP 76568584 C:\Windows\syswow64\kernel32.dll .text D:\Steam\bin\steamwebhelper.exe[7984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761016bd 2 bytes JMP 76567d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\screenSHU\screenSHU.exe[6056] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Program Files (x86)\screenSHU\screenSHU.exe[6056] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Program Files (x86)\screenSHU\screenSHU.exe[6056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 .text C:\Program Files (x86)\screenSHU\screenSHU.exe[6056] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 000000007653b0d6 5 bytes JMP 0000000102469090 .text C:\Users\DamnSlayer\Downloads\FRST64.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fe0130 5 bytes JMP 0000000077140128 .text C:\Users\DamnSlayer\Downloads\FRST64.exe[1984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fe0250 5 bytes JMP 0000000077140018 .text C:\Users\DamnSlayer\Downloads\FRST64.exe[1984] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076d8a600 5 bytes JMP 00000000771400a0 .text C:\Users\DamnSlayer\Downloads\FRST64.exe[1984] C:\Windows\system32\kernel32.dll!SetFileCompletionNotificationModes 0000000076dc0940 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Users\DamnSlayer\Downloads\xsz7gsln.exe[8044] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007718fbf0 5 bytes JMP 0000000174b81460 .text C:\Users\DamnSlayer\Downloads\xsz7gsln.exe[8044] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007718fdb4 5 bytes JMP 0000000174b81120 .text C:\Users\DamnSlayer\Downloads\xsz7gsln.exe[8044] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000764d117b 5 bytes JMP 0000000174b81260 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001018e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001018c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001019614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001019a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800101986c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80066a62c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80066a62c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80066a62c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80066a62c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort1 fffffa80066a62c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort6 fffffa80066a62c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80066a62c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80066a62c0 Device \Driver\atapi \Device\Ide\IdePort7 fffffa80066a62c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80066a62c0 Device \FileSystem\Ntfs \Ntfs fffffa8006fe02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{57B329C6-0802-4E2D-BCAE-C87122E15916} fffffa8007cb72c0 Device \Driver\USBSTOR \Device\0000007e fffffa80087162c0 Device \Driver\atapi \Device\ScsiPort7 fffffa80066a62c0 Device \Driver\USBSTOR \Device\0000007a fffffa80087162c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8007fef2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007fef2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007b882c0 Device \Driver\USBSTOR \Device\0000007f fffffa80087162c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8007fe22c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa8007fe22c0 Device \Driver\USBSTOR \Device\0000007c fffffa80087162c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8007fef2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007fef2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2F8432F9-CFFF-4F39-9174-258BA9009868} fffffa8007cb72c0 Device \Driver\USBSTOR \Device\0000007d fffffa80087162c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007cb72c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa8007fe22c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80066a62c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8007fe22c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80066a62c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80066a62c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80066a62c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80066a62c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80066a62c0 Device \Driver\atapi \Device\ScsiPort6 fffffa80066a62c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80066a62c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80066a62c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80077f8060] fffffa80077f8060 Trace 3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80074f2060] fffffa80074f2060 Trace \Driver\atapi[0xfffffa80070c2c00] -> IRP_MJ_CREATE -> 0xfffffa80066a62c0 fffffa80066a62c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [944:3956] 00000000010ef210 Thread C:\Windows\system32\services.exe [944:3960] 00000000010ef210 Thread C:\Windows\system32\services.exe [944:3964] 00000000010ef210 Thread C:\Windows\system32\services.exe [944:3968] 00000000010ef210 Thread C:\Windows\system32\svchost.exe [760:1056] 000000000055f210 Thread C:\Windows\system32\svchost.exe [760:1060] 000000000055f210 Thread C:\Windows\system32\svchost.exe [760:1064] 000000000055f210 Thread C:\Windows\system32\svchost.exe [760:1068] 000000000055f210 Thread C:\Windows\system32\svchost.exe [1232:1780] 0000000000b5f210 Thread C:\Windows\system32\svchost.exe [1232:1784] 0000000000b5f210 Thread C:\Windows\system32\svchost.exe [1232:1788] 0000000000b5f210 Thread C:\Windows\system32\svchost.exe [1232:1792] 0000000000b5f210 Thread C:\Windows\System32\spoolsv.exe [1820:3740] 000000000204f210 Thread C:\Windows\System32\spoolsv.exe [1820:3744] 000000000204f210 Thread C:\Windows\System32\spoolsv.exe [1820:3748] 000000000204f210 Thread C:\Windows\System32\spoolsv.exe [1820:3752] 000000000204f210 Thread C:\Windows\system32\svchost.exe [1852:2028] 0000000000c2f210 Thread C:\Windows\system32\svchost.exe [1852:2032] 0000000000c2f210 Thread C:\Windows\system32\svchost.exe [1852:2036] 0000000000c2f210 Thread C:\Windows\system32\svchost.exe [1852:2040] 0000000000c2f210 Thread C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [2372:2888] 000000001a25f210 Thread C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [2372:2892] 000000001a25f210 Thread C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [2372:2896] 000000001a25f210 Thread C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [2372:2900] 000000001a25f210 Thread C:\Windows\system32\svchost.exe [1588:5176] 00000000013af210 Thread C:\Windows\system32\svchost.exe [1588:6224] 00000000013af210 Thread C:\Windows\system32\svchost.exe [1588:6500] 00000000013af210 Thread C:\Windows\system32\svchost.exe [1588:7060] 00000000013af210 Thread C:\Windows\Explorer.EXE [6088:7016] 00000000027af210 Thread C:\Windows\Explorer.EXE [6088:2576] 00000000027af210 Thread C:\Windows\Explorer.EXE [6088:7464] 00000000027af210 Thread C:\Windows\Explorer.EXE [6088:6000] 00000000027af210 Thread C:\Windows\Explorer.EXE [6088:7872] 00000000027cec50 Thread C:\Windows\Explorer.EXE [6088:2676] 00000000027cec50 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [6088] (GG drive overlay/GG Network S.A.)(2015-02-26 00:52:55) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- EOF - GMER 2.1 ----