GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-27 17:54:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.02.0 465,76GB Running: t7pujrbu.exe; Driver: C:\Users\PAWEL~1.DZI\AppData\Local\Temp\uxtdrpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760a8781 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Security\x86\ekrn.exe[2148] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextCreate + 4 00000000723a1825 2 bytes JMP 75b2613d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroy + 4 00000000723a1830 2 bytes JMP 75b2615d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dContextDestroyAll + 4 00000000723a183b 2 bytes JMP 75b2617d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dDrawPrimitives2 + 4 00000000723a1846 2 bytes JMP 75b25a1d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkD3dValidateTextureStageState + 4 00000000723a1851 2 bytes JMP 75b2619d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAddAttachedSurface + 4 00000000723a185c 2 bytes JMP 75b2627d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAlphaBlt + 4 00000000723a1867 2 bytes JMP 75b2629d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdAttachSurface + 4 00000000723a1872 2 bytes JMP 75b262bd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBeginMoCompFrame + 4 00000000723a187d 2 bytes JMP 75b262dd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdBlt + 4 00000000723a1888 2 bytes JMP 75b25a3d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateD3DBuffer + 4 00000000723a1893 2 bytes JMP 75b262fd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCanCreateSurface + 4 00000000723a189e 2 bytes JMP 75b25abd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdColorControl + 4 00000000723a18a9 2 bytes JMP 75b2631d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateD3DBuffer + 4 00000000723a18b4 2 bytes JMP 75b2633d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateDirectDrawObject + 4 00000000723a18bf 2 bytes JMP 75af1fcb C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateMoComp + 4 00000000723a18ca 2 bytes JMP 75b2637d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurface + 4 00000000723a18d5 2 bytes JMP 75b25add C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceEx + 4 00000000723a18e0 2 bytes JMP 75b25b5d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdCreateSurfaceObject + 4 00000000723a18eb 2 bytes JMP 75b25b7d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteDirectDrawObject + 4 00000000723a18f6 2 bytes JMP 75b268dd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDeleteSurfaceObject + 4 00000000723a1901 2 bytes JMP 75b25a9d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyD3DBuffer + 4 00000000723a190c 2 bytes JMP 75b268fd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroyMoComp + 4 00000000723a1917 2 bytes JMP 75b2693d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdDestroySurface + 4 00000000723a1922 2 bytes JMP 75b25afd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdEndMoCompFrame + 4 00000000723a192d 2 bytes JMP 75b2695d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlip + 4 00000000723a1938 2 bytes JMP 75b2697d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdFlipToGDISurface + 4 00000000723a1943 2 bytes JMP 75b2699d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetAvailDriverMemory + 4 00000000723a194e 2 bytes JMP 75b269bd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetBltStatus + 4 00000000723a1959 2 bytes JMP 75b269dd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDC + 4 00000000723a1964 2 bytes JMP 75b269fd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverInfo + 4 00000000723a196f 2 bytes JMP 75b26a1d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDriverState + 4 00000000723a197a 2 bytes JMP 75b26a3d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetDxHandle + 4 00000000723a1985 2 bytes JMP 75b26a5d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetFlipStatus + 4 00000000723a1990 2 bytes JMP 75b26a7d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetInternalMoCompInfo + 4 00000000723a199b 2 bytes JMP 75b26a9d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompBuffInfo + 4 00000000723a19a6 2 bytes JMP 75b26abd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompFormats + 4 00000000723a19b1 2 bytes JMP 75b26add C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetMoCompGuids + 4 00000000723a19bc 2 bytes JMP 75b26afd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdGetScanLine + 4 00000000723a19c7 2 bytes JMP 75b26b1d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLock + 4 00000000723a19d2 2 bytes JMP 75b26b3d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdLockD3D + 4 00000000723a19dd 2 bytes JMP 75b25b9d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryDirectDrawObject + 4 00000000723a19e8 2 bytes JMP 75b26b7d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdQueryMoCompStatus + 4 00000000723a19f3 2 bytes JMP 75b26b9d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReenableDirectDrawObject + 4 00000000723a19fe 2 bytes JMP 75b26bdb C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdReleaseDC + 4 00000000723a1a09 2 bytes JMP 75b26bfb C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdRenderMoComp + 4 00000000723a1a14 2 bytes JMP 75b26c1b C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdResetVisrgn + 4 00000000723a1a1f 2 bytes JMP 75b25b1d C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetColorKey + 4 00000000723a1a2a 2 bytes JMP 75b26c3b C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetExclusiveMode + 4 00000000723a1a35 2 bytes JMP 75b26c5b C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetGammaRamp + 4 00000000723a1a40 2 bytes JMP 75b26c7b C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdSetOverlayPosition + 4 00000000723a1a4b 2 bytes JMP 75b26c9b C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnattachSurface + 4 00000000723a1a56 2 bytes JMP 75b26cbb C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlock + 4 00000000723a1a61 2 bytes JMP 75b26cdb C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUnlockD3D + 4 00000000723a1a6c 2 bytes JMP 75b25bbd C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdUpdateOverlay + 4 00000000723a1a77 2 bytes JMP 75b26cfb C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 4 00000000723a1a82 2 bytes JMP 75b26d1b C:\Windows\syswow64\GDI32.dll .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2560] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 52 00000000723a1ab2 2 bytes JMP 75d9dc75 C:\Windows\syswow64\msvcrt.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\CCM\CcmExec.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6316] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6688] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076081401 2 bytes JMP 760cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076081419 2 bytes JMP 760cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076081431 2 bytes JMP 76148f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007608144a 2 bytes CALL 760a489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760814dd 2 bytes JMP 76148822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760814f5 2 bytes JMP 761489f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007608150d 2 bytes JMP 76148718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076081525 2 bytes JMP 76148ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007608153d 2 bytes JMP 760bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076081555 2 bytes JMP 760c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007608156d 2 bytes JMP 76148fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076081585 2 bytes JMP 76148b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007608159d 2 bytes JMP 761486dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760815b5 2 bytes JMP 760bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760815cd 2 bytes JMP 760cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760816b2 2 bytes JMP 76148ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[2752] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760816bd 2 bytes JMP 76148671 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010bde94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010bdc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010be654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010bea50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010be8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8003fc42c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80073752c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006eaa2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1198EB57-058F-4C02-B1B7-0464D48C9167} fffffa8006fe22c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80073752c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D1DA433C-3ECA-4AF6-B276-E96D9BEC9019} fffffa8006fe22c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80073752c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{7BB180B9-103F-4654-9350-96845585EC46} fffffa8006fe22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{86858A17-5E90-4C7C-BBC0-CDE8396DEE66} fffffa8006fe22c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006fe22c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80073752c0 ---- Processes - GMER 2.1 ---- Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\python27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688] (Python Core/Python Software Foundation)(2015-09-27 14:26:33) 000000001e000000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32api.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:35) 000000001e8c0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\pywintypes27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:31) 000000001e7a0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\pythoncom27.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:34) 0000000002540000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_socket.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 0000000000250000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_ssl.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 0000000010000000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:35) 000000001e800000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_hashlib.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 0000000002dc0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._core_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:38) 0000000002e80000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wxbase30u_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688] (wxWidgets base library/wxWidgets development team)(2015-09-27 14:26:40) 0000000002fb0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wxbase30u_net_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688] (wxWidgets network library/wxWidgets development team)(2015-09-27 14:26:40) 0000000000310000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wxmsw30u_core_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688] (wxWidgets core library/wxWidgets development team)(2015-09-27 14:26:40) 00000000031b0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wxmsw30u_adv_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688] (wxWidgets advanced library/wxWidgets development team)(2015-09-27 14:26:40) 0000000003680000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._gdi_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:39) 00000000038c0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._windows_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:39) 0000000003990000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wxmsw30u_html_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688] (wxWidgets html library/wxWidgets development team)(2015-09-27 14:26:41) 0000000004280000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._controls_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:38) 0000000004540000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._misc_.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:39) 0000000004650000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\pysqlite2._sqlite.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:33) 0000000004710000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_ctypes.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 000000001d1a0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32file.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:36) 000000001ea10000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32security.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:37) 000000001ec80000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\hashobjs_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:33) 0000000003a60000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\usb_ext.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:35) 0000000004320000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32gui.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:36) 000000001ea40000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32event.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:35) 000000001e9b0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_elementtree.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 000000001d100000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\pyexpat.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:33) 0000000004340000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\common.time34.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:33) 0000000004370000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_psutil_windows.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 0000000004380000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32inet.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:37) 000000001eaa0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32crypt.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:35) 000000001e980000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._html2.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:39) 0000000004390000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wxmsw30u_webview_vc90.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688] (wxWidgets webview library/wxWidgets development team)(2015-09-27 14:26:41) 0000000005920000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_multiprocessing.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 0000000005940000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\_yappi.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:32) 0000000005950000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32process.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:37) 000000001ebf0000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\unicodedata.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:34) 0000000005960000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._wizard.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:39) 0000000005a10000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32pipe.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:37) 000000001eb90000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\select.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:34) 0000000005a50000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32pdh.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:37) 000000001eb60000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32profile.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:37) 000000001ec20000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\win32ts.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:38) 000000001ed40000 Library C:\Users\PAWEL~1.DZI\AppData\Local\Temp\_MEI54642\wx._animate.pyd (*** suspicious ***) @ C:\Program Files (x86)\Google\Drive\googledrivesync.exe [6688](2015-09-27 14:26:38) 0000000005a60000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6817294cbe76 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAC 0xDD 0x8A 0x83 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6817294cbe76 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAC 0xDD 0x8A 0x83 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----