GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-09 09:04:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596.17GB Running: jhnmqgsg.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\fwtcaaog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 616 fffff960000a5658 8 bytes [00, A6, AE, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000d4d00 7 bytes [00, 89, F3, FF, C1, 98, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000d4d08 3 bytes [C0, 06, 02] .text ... * 105 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 488 fffff9600019cc3c 6 bytes {JMP QWORD [RIP-0xbc56a]} .text C:\Windows\System32\win32k.sys!EngCTGetCurrentGamma + 32 fffff960001a30c0 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\System32\win32k.sys!EngFntCacheFault + 516 fffff960001d73f0 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\System32\win32k.sys!EngUnmapFontFile + 124 fffff960001d8410 7 bytes {JMP QWORD [RIP+0x0]} .text C:\Windows\System32\win32k.sys!EngUnmapFontFile + 132 fffff960001d8418 6 bytes [05, 04, 80, F8, FF, FF] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000771fe080 5 bytes [FF, 25, D2, 17, 00] .text C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000771fe5d0 5 bytes [FF, 25, 81, 11, 00] .text C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000771fe680 5 bytes [FF, 25, 1F, 12, 00] .text C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!RtlZeroMemory + 7 00000000771ff757 8 bytes {JMP 0x1b} .text C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!memset + 232 00000000771ff858 8 bytes {JMP QWORD [RAX+0x23]} .text C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!RtlLeaveCriticalSection + 69 00000000771ff8a5 8 bytes {SHL BYTE [RBX], 0x1; JMP 0x0} .text C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!UnregisterClassW + 212 0000000076f9d538 14 bytes [50, 20, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetWindowPos 0000000076fa3c50 6 bytes {JMP QWORD [RIP+0xa0]} .text C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetWindowPos + 166 0000000076fa3cf6 8 bytes [C0, 20, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!mouse_event + 212 0000000076fb3968 14 bytes [A0, 21, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!VkKeyScanW + 20 0000000076fe06f8 14 bytes {ADC [RDX], AH; JMP 0x0} .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00000000771fe080 5 bytes [FF, 25, D2, 17, 00] .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00000000771fe5d0 5 bytes [FF, 25, 81, 11, 00] .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 00000000771fe680 5 bytes [FF, 25, 1F, 12, 00] .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!RtlZeroMemory + 7 00000000771ff757 8 bytes {JMP 0x1b} .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!memset + 232 00000000771ff858 8 bytes {JMP QWORD [RAX+0x23]} .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!RtlLeaveCriticalSection + 69 00000000771ff8a5 8 bytes {SHL BYTE [RBX], 0x1; JMP 0x0} .text C:\Windows\system32\services.exe[764] C:\Windows\system32\USER32.dll!UnregisterClassW + 212 0000000076f9d538 14 bytes [50, 20, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\services.exe[764] C:\Windows\system32\USER32.dll!SetWindowPos 0000000076fa3c50 6 bytes {JMP QWORD [RIP+0xa0]} .text C:\Windows\system32\services.exe[764] C:\Windows\system32\USER32.dll!SetWindowPos + 166 0000000076fa3cf6 8 bytes [C0, 20, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\services.exe[764] C:\Windows\system32\USER32.dll!mouse_event + 212 0000000076fb3968 14 bytes [A0, 21, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\services.exe[764] C:\Windows\system32\USER32.dll!VkKeyScanW + 20 0000000076fe06f8 14 bytes {ADC [RDX], AH; JMP 0x0} .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\system32\winlogon.exe[944] C:\Windows\system32\USER32.dll!UnregisterClassW + 212 0000000076f9d538 14 bytes [50, 20, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\winlogon.exe[944] C:\Windows\system32\USER32.dll!SetWindowPos 0000000076fa3c50 6 bytes {JMP QWORD [RIP+0xa0]} .text C:\Windows\system32\winlogon.exe[944] C:\Windows\system32\USER32.dll!SetWindowPos + 166 0000000076fa3cf6 8 bytes [C0, 20, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\winlogon.exe[944] C:\Windows\system32\USER32.dll!mouse_event + 212 0000000076fb3968 14 bytes [A0, 21, EB, FC, FE, 07, 00, ...] .text C:\Windows\system32\winlogon.exe[944] C:\Windows\system32\USER32.dll!VkKeyScanW + 20 0000000076fe06f8 14 bytes {ADC [RDX], AH; JMP 0x0} .text C:\Windows\system32\svchost.exe[296] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\System32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\System32\svchost.exe[632] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1708] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1976] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1976] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1976] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Windows\System32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1604] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1604] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1604] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1604] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[620] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[620] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[620] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[620] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\ProgramData\MobileBrServ\mbbservice.exe[2092] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\ProgramData\MobileBrServ\mbbservice.exe[2092] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\ProgramData\MobileBrServ\mbbservice.exe[2092] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\ProgramData\MobileBrServ\mbbservice.exe[2092] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2196] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2196] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2196] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2196] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000732517fa 2 bytes CALL 76c311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073251860 2 bytes CALL 76c311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073251942 2 bytes JMP 75dc7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2268] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007325194d 2 bytes JMP 75dccba6 C:\Windows\syswow64\WS2_32.dll .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2296] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2296] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2296] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2296] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2568] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2568] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2568] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Windows\system32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs[2696] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\hnsr9E62.tmp[2728] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\hnsr9E62.tmp[2728] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\hnsr9E62.tmp[2728] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\hnsr9E62.tmp[2728] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[2836] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[2836] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[2836] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Qualcomm Atheros Fast Reconnect\Ath_WlanAgent.exe[2836] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2960] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2960] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2960] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2960] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 ? C:\Windows\system32\mssprxy.dll [2960] entry point in ".rdata" section 00000000703371e6 .text C:\Program Files (x86)\MiuiTab\cmdshell.exe[3500] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\MiuiTab\cmdshell.exe[3500] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\MiuiTab\cmdshell.exe[3500] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\MiuiTab\cmdshell.exe[3500] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUnicodeStringFromAsciiz + 456 00000000771d6f28 14 bytes {AND BYTE [RDX], 0xeb; CLD ; INC BYTE [RDI]; ADD [RAX], AL; JMP QWORD [RIP-0xe]} .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Users\Kuba\AppData\Local\gmsd_pl_005010025\upgmsd_pl_005010025.exe[4584] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5228] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5228] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5228] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5228] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[5248] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[5248] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[5248] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe[5248] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[5316] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[5316] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[5316] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe[5316] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5384] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5384] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5384] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5384] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 0000000100593288 .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 000000010059325c .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 000000010059330c .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001005932e0 .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LManager.exe[5432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[5456] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 0000000100303288 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[5456] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 000000010030325c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[5456] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 000000010030330c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[5456] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001003032e0 .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CheckNDISPort_df.exe[5576] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CheckNDISPort_df.exe[5576] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CheckNDISPort_df.exe[5576] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CheckNDISPort_df.exe[5576] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CancelAutoPlay_df.exe[5608] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CancelAutoPlay_df.exe[5608] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CancelAutoPlay_df.exe[5608] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\4G Hostless Modem\PLAY ONLINE\CancelAutoPlay_df.exe[5608] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebHelper.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[5692] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[5692] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Launch Manager\LMworker.exe[5692] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Launch Manager\LMworker.exe[5692] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [5872] entry point in ".rdata" section 00000000703371e6 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5916] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c38781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5940] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5940] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5940] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5940] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5988] C:\Windows\syswow64\user32.DLL!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5988] C:\Windows\syswow64\user32.DLL!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5988] C:\Windows\syswow64\user32.DLL!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe[5988] C:\Windows\syswow64\user32.DLL!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076481401 2 bytes JMP 76c5b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076481419 2 bytes JMP 76c5b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076481431 2 bytes JMP 76cd8f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007648144a 2 bytes CALL 76c3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764814dd 2 bytes JMP 76cd8822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764814f5 2 bytes JMP 76cd89f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007648150d 2 bytes JMP 76cd8718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076481525 2 bytes JMP 76cd8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007648153d 2 bytes JMP 76c4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076481555 2 bytes JMP 76c568ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007648156d 2 bytes JMP 76cd8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076481585 2 bytes JMP 76cd8b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007648159d 2 bytes JMP 76cd86dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764815b5 2 bytes JMP 76c4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764815cd 2 bytes JMP 76c5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764816b2 2 bytes JMP 76cd8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\AppData\Local\SmartWeb\SmartWebApp.exe[5784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764816bd 2 bytes JMP 76cd8671 C:\Windows\syswow64\kernel32.dll .text C:\Users\Kuba\Desktop\Nowy folder\jhnmqgsg.exe[2492] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075f98e4e 5 bytes JMP 00000001100c3288 .text C:\Users\Kuba\Desktop\Nowy folder\jhnmqgsg.exe[2492] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000075fbf170 5 bytes JMP 00000001100c325c .text C:\Users\Kuba\Desktop\Nowy folder\jhnmqgsg.exe[2492] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075fe07d7 5 bytes JMP 00000001100c330c .text C:\Users\Kuba\Desktop\Nowy folder\jhnmqgsg.exe[2492] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExA 0000000075ff6da0 5 bytes JMP 00000001100c32e0 ---- Processes - GMER 2.1 ---- Process C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs (*** suspicious ***) @ C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\knsr67D0.tmpfs [2696](2015-07-06 14:05:52) 0000000000a30000 Process C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\hnsr9E62.tmp (*** suspicious ***) @ C:\Users\Kuba\AppData\Roaming\B661E556-1436193973-E011-AB32-B870F48BF876\hnsr9E62.tmp [2728](2015-07-06 14:46:37) 00000000003b0000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Kuba\Desktop\\x200b\x200c\HAC\Folder Lock\folderlock7-en.exe 2 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Kuba\Desktop\\x200b\x200c\HAC\setup.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Kuba\Desktop\\x200b\x200c\HAC\Advanced RAR Password Recovery.exe 1 ---- EOF - GMER 2.1 ----