GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-28 20:32:11 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVT-24A23T0 rev.01.01A02 232,89GB Running: 2x99m4eb.exe; Driver: C:\Users\Sylwek\AppData\Local\Temp\kwwoipod.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8187F579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 818A3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[260] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 008C6390 .text C:\Windows\system32\Dwm.exe[260] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 008C6640 .text C:\Windows\system32\Dwm.exe[260] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 008C53D0 .text C:\Windows\system32\Dwm.exe[260] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 008C5300 .text C:\Windows\system32\Dwm.exe[260] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 008C10A0 .text C:\Windows\system32\Dwm.exe[260] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 008C2570 .text C:\Windows\system32\Dwm.exe[260] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 008C1290 .text C:\Windows\system32\Dwm.exe[260] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 008C11C0 .text C:\Windows\system32\Dwm.exe[260] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\system32\Dwm.exe[260] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 008C1000 .text C:\Windows\system32\Dwm.exe[260] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 008C2510 .text C:\Windows\system32\Dwm.exe[260] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 008C1D10 .text C:\Windows\system32\Dwm.exe[260] WS2_32.dll!send 7585C4C8 5 Bytes JMP 008C7250 .text C:\Windows\system32\Dwm.exe[260] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 008C2160 .text C:\Windows\system32\Dwm.exe[260] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 008C23A0 .text C:\Windows\system32\Dwm.exe[260] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 008C20A0 .text C:\Windows\system32\csrss.exe[384] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 02396390 .text C:\Windows\system32\csrss.exe[384] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 02396640 .text C:\Windows\system32\csrss.exe[384] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 023953D0 .text C:\Windows\system32\csrss.exe[384] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 02395300 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 023910A0 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 02392570 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 02391290 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 023911C0 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\system32\csrss.exe[384] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 02391000 .text C:\Windows\system32\csrss.exe[384] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 02392510 .text C:\Windows\system32\csrss.exe[384] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 02391D10 .text C:\Windows\system32\csrss.exe[384] WS2_32.dll!send 7585C4C8 5 Bytes JMP 02397250 .text C:\Windows\system32\csrss.exe[384] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 02392160 .text C:\Windows\system32\csrss.exe[384] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 023923A0 .text C:\Windows\system32\csrss.exe[384] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 023920A0 .text C:\Windows\system32\winlogon.exe[420] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 00A26390 .text C:\Windows\system32\winlogon.exe[420] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 00A26640 .text C:\Windows\system32\winlogon.exe[420] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 00A253D0 .text C:\Windows\system32\winlogon.exe[420] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 00A25300 .text C:\Windows\system32\winlogon.exe[420] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 00A210A0 .text C:\Windows\system32\winlogon.exe[420] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 00A22570 .text C:\Windows\system32\winlogon.exe[420] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 00A21290 .text C:\Windows\system32\winlogon.exe[420] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 00A211C0 .text C:\Windows\system32\winlogon.exe[420] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\system32\winlogon.exe[420] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 00A21000 .text C:\Windows\system32\winlogon.exe[420] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 00A22510 .text C:\Windows\system32\winlogon.exe[420] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 00A21D10 .text C:\Windows\system32\winlogon.exe[420] WS2_32.dll!send 7585C4C8 5 Bytes JMP 00A27250 .text C:\Windows\system32\winlogon.exe[420] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 00A22160 .text C:\Windows\system32\winlogon.exe[420] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 00A223A0 .text C:\Windows\system32\winlogon.exe[420] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 00A220A0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 00A46390 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 00A46640 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 00A453D0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 00A45300 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 00A410A0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 00A42570 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 00A41290 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 00A411C0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 00A41000 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 00A42510 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 00A41D10 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] WS2_32.dll!send 7585C4C8 5 Bytes JMP 00A47250 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 00A42160 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 00A423A0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1092] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 00A420A0 ÒuÛŠëÔÿÿÿÿservicesentry point in "ÒuÛŠëÔÿÿÿÿservicesentry point in "" section [0x0042F485] C:\Users\Sylwek\AppData\Local\services.exe[1480] C:\Users\Sylwek\AppData\Local\services.exe entry point in "ÒuÛŠëÔÿÿÿÿservicesentry point in "" section [0x0042F485] ÒuÛŠëÔÿÿÿÿservicesunknown last code section [0x00425000, 0x19000, 0xC00000E0] C:\Users\Sylwek\AppData\Local\services.exe[1480] C:\Users\Sylwek\AppData\Local\services.exe unknown last code section [0x00425000, 0x19000, 0xC00000E0] .text C:\Users\Sylwek\AppData\Local\services.exe[1480] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 01A06390 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 01A06640 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 01A053D0 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 01A05300 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 01A010A0 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 01A02570 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 01A01290 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 01A011C0 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Users\Sylwek\AppData\Local\services.exe[1480] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 01A01000 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 01A02510 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 01A01D10 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] WS2_32.dll!send 7585C4C8 5 Bytes JMP 01A07250 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 01A02160 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 01A023A0 .text C:\Users\Sylwek\AppData\Local\services.exe[1480] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 01A020A0 .text C:\Windows\system32\taskhost.exe[1556] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 01856390 .text C:\Windows\system32\taskhost.exe[1556] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 01856640 .text C:\Windows\system32\taskhost.exe[1556] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 018553D0 .text C:\Windows\system32\taskhost.exe[1556] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 01855300 .text C:\Windows\system32\taskhost.exe[1556] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 018510A0 .text C:\Windows\system32\taskhost.exe[1556] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 01852570 .text C:\Windows\system32\taskhost.exe[1556] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 01851290 .text C:\Windows\system32\taskhost.exe[1556] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 018511C0 .text C:\Windows\system32\taskhost.exe[1556] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\system32\taskhost.exe[1556] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 01851000 .text C:\Windows\system32\taskhost.exe[1556] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 01852510 .text C:\Windows\system32\taskhost.exe[1556] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 01851D10 .text C:\Windows\system32\taskhost.exe[1556] WS2_32.dll!send 7585C4C8 5 Bytes JMP 01857250 .text C:\Windows\system32\taskhost.exe[1556] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 01852160 .text C:\Windows\system32\taskhost.exe[1556] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 018523A0 .text C:\Windows\system32\taskhost.exe[1556] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 018520A0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 01CD6390 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 01CD6640 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 01CD53D0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 01CD5300 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 01CD10A0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 01CD2570 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 01CD1290 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 01CD11C0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 01CD1000 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 01CD2510 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 01CD1D10 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] WS2_32.dll!send 7585C4C8 5 Bytes JMP 01CD7250 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 01CD2160 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 01CD23A0 .text C:\Windows\SYSTEM32\WISPTIS.EXE[1612] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 01CD20A0 ÒuÛŠëÔÿÿÿÿwinlogonentry point in "ÒuÛŠëÔÿÿÿÿwinlogonentry point in "" section [0x0042F485] C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] C:\Users\Sylwek\AppData\Local\winlogon.exe entry point in "ÒuÛŠëÔÿÿÿÿwinlogonentry point in "" section [0x0042F485] ÒuÛŠëÔÿÿÿÿwinlogonunknown last code section [0x00425000, 0x19000, 0xC00000E0] C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] C:\Users\Sylwek\AppData\Local\winlogon.exe unknown last code section [0x00425000, 0x19000, 0xC00000E0] .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 019C6390 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 019C6640 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 019C53D0 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 019C5300 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 019C10A0 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 019C2570 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 019C1290 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 019C11C0 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 019C1000 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 019C2510 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 019C1D10 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] WS2_32.dll!send 7585C4C8 5 Bytes JMP 019C7250 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 019C2160 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 019C23A0 .text C:\Users\Sylwek\AppData\Local\winlogon.exe[1672] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 019C20A0 .text C:\Windows\explorer.exe[2268] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 07246390 .text C:\Windows\explorer.exe[2268] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 07246640 .text C:\Windows\explorer.exe[2268] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 072453D0 .text C:\Windows\explorer.exe[2268] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 07245300 .text C:\Windows\explorer.exe[2268] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 072410A0 .text C:\Windows\explorer.exe[2268] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 07242570 .text C:\Windows\explorer.exe[2268] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 07241290 .text C:\Windows\explorer.exe[2268] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 072411C0 .text C:\Windows\explorer.exe[2268] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\explorer.exe[2268] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 07241000 .text C:\Windows\explorer.exe[2268] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 07242510 .text C:\Windows\explorer.exe[2268] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 07241D10 .text C:\Windows\explorer.exe[2268] WS2_32.dll!send 7585C4C8 5 Bytes JMP 07247250 .text C:\Windows\explorer.exe[2268] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 07242160 .text C:\Windows\explorer.exe[2268] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 072423A0 .text C:\Windows\explorer.exe[2268] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 072420A0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 00E86390 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 00E86640 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 00E853D0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 00E85300 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 00E810A0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 00E82570 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 00E81290 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 00E811C0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 00E81000 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 00E82510 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 00E81D10 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] WS2_32.dll!send 7585C4C8 5 Bytes JMP 00E87250 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 00E82160 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 00E823A0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe[2356] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 00E820A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 01636390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 01636640 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 016353D0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 01635300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 016310A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 01632570 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 01631290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 016311C0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 01631000 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 01632510 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 01631D10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] WS2_32.dll!send 7585C4C8 5 Bytes JMP 01637250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 01632160 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 016323A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2364] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 016320A0 .text C:\Windows\System32\igfxtray.exe[2372] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 01546390 .text C:\Windows\System32\igfxtray.exe[2372] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 01546640 .text C:\Windows\System32\igfxtray.exe[2372] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 015453D0 .text C:\Windows\System32\igfxtray.exe[2372] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 01545300 .text C:\Windows\System32\igfxtray.exe[2372] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 015410A0 .text C:\Windows\System32\igfxtray.exe[2372] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 01542570 .text C:\Windows\System32\igfxtray.exe[2372] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 01541290 .text C:\Windows\System32\igfxtray.exe[2372] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 015411C0 .text C:\Windows\System32\igfxtray.exe[2372] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\System32\igfxtray.exe[2372] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 01541000 .text C:\Windows\System32\igfxtray.exe[2372] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 01542510 .text C:\Windows\System32\igfxtray.exe[2372] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 01541D10 .text C:\Windows\System32\igfxtray.exe[2372] WS2_32.dll!send 7585C4C8 5 Bytes JMP 01547250 .text C:\Windows\System32\igfxtray.exe[2372] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 01542160 .text C:\Windows\System32\igfxtray.exe[2372] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 015423A0 .text C:\Windows\System32\igfxtray.exe[2372] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 015420A0 .text C:\Windows\System32\hkcmd.exe[2380] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 01A96390 .text C:\Windows\System32\hkcmd.exe[2380] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 01A96640 .text C:\Windows\System32\hkcmd.exe[2380] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 01A953D0 .text C:\Windows\System32\hkcmd.exe[2380] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 01A95300 .text C:\Windows\System32\hkcmd.exe[2380] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 01A910A0 .text C:\Windows\System32\hkcmd.exe[2380] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 01A92570 .text C:\Windows\System32\hkcmd.exe[2380] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 01A91290 .text C:\Windows\System32\hkcmd.exe[2380] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 01A911C0 .text C:\Windows\System32\hkcmd.exe[2380] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\System32\hkcmd.exe[2380] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 01A91000 .text C:\Windows\System32\hkcmd.exe[2380] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 01A92510 .text C:\Windows\System32\hkcmd.exe[2380] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 01A91D10 .text C:\Windows\System32\hkcmd.exe[2380] WS2_32.dll!send 7585C4C8 5 Bytes JMP 01A97250 .text C:\Windows\System32\hkcmd.exe[2380] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 01A92160 .text C:\Windows\System32\hkcmd.exe[2380] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 01A923A0 .text C:\Windows\System32\hkcmd.exe[2380] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 01A920A0 .text C:\Windows\System32\igfxpers.exe[2408] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 00366390 .text C:\Windows\System32\igfxpers.exe[2408] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 00366640 .text C:\Windows\System32\igfxpers.exe[2408] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 003653D0 .text C:\Windows\System32\igfxpers.exe[2408] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 00365300 .text C:\Windows\System32\igfxpers.exe[2408] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 003610A0 .text C:\Windows\System32\igfxpers.exe[2408] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 00362570 .text C:\Windows\System32\igfxpers.exe[2408] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 00361290 .text C:\Windows\System32\igfxpers.exe[2408] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 003611C0 .text C:\Windows\System32\igfxpers.exe[2408] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\System32\igfxpers.exe[2408] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 00361000 .text C:\Windows\System32\igfxpers.exe[2408] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 00362510 .text C:\Windows\System32\igfxpers.exe[2408] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 00361D10 .text C:\Windows\System32\igfxpers.exe[2408] WS2_32.dll!send 7585C4C8 5 Bytes JMP 00367250 .text C:\Windows\System32\igfxpers.exe[2408] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 00362160 .text C:\Windows\System32\igfxpers.exe[2408] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 003623A0 .text C:\Windows\System32\igfxpers.exe[2408] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 003620A0 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 04ED6390 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 04ED6640 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 04ED53D0 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 04ED5300 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!CopyFileW 75618C8F 3 Bytes JMP 04ED10A0 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!CopyFileW + 4 75618C93 1 Byte [8F] .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!MoveFileW 7561A173 3 Bytes JMP 04ED2570 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!MoveFileW + 4 7561A177 1 Byte [8F] .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!CreateFileW 75630B5D 5 Bytes JMP 04ED1290 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!CreateFileA 756328FC 5 Bytes JMP 04ED11C0 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!CopyFileA 75647CFC 5 Bytes JMP 04ED1000 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] KERNEL32.dll!MoveFileA 7566AD49 5 Bytes JMP 04ED2510 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 04ED1D10 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] WS2_32.dll!send 7585C4C8 5 Bytes JMP 04ED7250 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 04ED2160 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 04ED23A0 .text C:\Program Files\Lenovo\Lenovo Screen Rotation\ScreenRotation.exe[2416] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 04ED20A0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 00356390 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 00356640 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 003553D0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 00355300 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 003510A0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 00352570 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 00351290 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 003511C0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 00351000 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 00352510 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 00351D10 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] WS2_32.dll!send 7585C4C8 5 Bytes JMP 00357250 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 00352160 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 003523A0 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2432] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 003520A0 .text C:\Windows\system32\igfxsrvc.exe[2512] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 020B6390 .text C:\Windows\system32\igfxsrvc.exe[2512] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 020B6640 .text C:\Windows\system32\igfxsrvc.exe[2512] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 020B53D0 .text C:\Windows\system32\igfxsrvc.exe[2512] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 020B5300 .text C:\Windows\system32\igfxsrvc.exe[2512] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 020B10A0 .text C:\Windows\system32\igfxsrvc.exe[2512] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 020B2570 .text C:\Windows\system32\igfxsrvc.exe[2512] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 020B1290 .text C:\Windows\system32\igfxsrvc.exe[2512] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 020B11C0 .text C:\Windows\system32\igfxsrvc.exe[2512] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Windows\system32\igfxsrvc.exe[2512] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 020B1000 .text C:\Windows\system32\igfxsrvc.exe[2512] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 020B2510 .text C:\Windows\system32\igfxsrvc.exe[2512] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 020B1D10 .text C:\Windows\system32\igfxsrvc.exe[2512] WS2_32.dll!send 7585C4C8 5 Bytes JMP 020B7250 .text C:\Windows\system32\igfxsrvc.exe[2512] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 020B2160 .text C:\Windows\system32\igfxsrvc.exe[2512] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 020B23A0 .text C:\Windows\system32\igfxsrvc.exe[2512] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 020B20A0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 03E06390 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 03E06640 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 03E053D0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 03E05300 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 03E010A0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 03E02570 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 03E01290 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 03E011C0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 03E01000 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 03E02510 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 03E01D10 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] WS2_32.dll!send 7585C4C8 5 Bytes JMP 03E07250 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 03E02160 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 03E023A0 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2536] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 03E020A0 .text C:\Program Files\CandoTouch\CTouch.exe[2548] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 01336390 .text C:\Program Files\CandoTouch\CTouch.exe[2548] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 01336640 .text C:\Program Files\CandoTouch\CTouch.exe[2548] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 013353D0 .text C:\Program Files\CandoTouch\CTouch.exe[2548] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 01335300 .text C:\Program Files\CandoTouch\CTouch.exe[2548] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 013310A0 .text C:\Program Files\CandoTouch\CTouch.exe[2548] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 01332570 .text C:\Program Files\CandoTouch\CTouch.exe[2548] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 01331290 .text C:\Program Files\CandoTouch\CTouch.exe[2548] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 013311C0 .text C:\Program Files\CandoTouch\CTouch.exe[2548] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text C:\Program Files\CandoTouch\CTouch.exe[2548] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 01331000 .text C:\Program Files\CandoTouch\CTouch.exe[2548] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 01332510 .text C:\Program Files\CandoTouch\CTouch.exe[2548] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 01331D10 .text C:\Program Files\CandoTouch\CTouch.exe[2548] WS2_32.dll!send 7585C4C8 5 Bytes JMP 01337250 .text C:\Program Files\CandoTouch\CTouch.exe[2548] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 01332160 .text C:\Program Files\CandoTouch\CTouch.exe[2548] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 013323A0 .text C:\Program Files\CandoTouch\CTouch.exe[2548] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 013320A0 .text E:\2x99m4eb.exe[3692] ntdll.dll!NtEnumerateValueKey 771D4D60 5 Bytes JMP 00176390 .text E:\2x99m4eb.exe[3692] ntdll.dll!NtQueryDirectoryFile 771D53E0 5 Bytes JMP 00176640 .text E:\2x99m4eb.exe[3692] ntdll.dll!NtResumeThread 771D58F0 5 Bytes JMP 001753D0 .text E:\2x99m4eb.exe[3692] ntdll.dll!LdrLoadDll 771EF585 5 Bytes JMP 00175300 .text E:\2x99m4eb.exe[3692] kernel32.dll!CopyFileW 75618C8F 5 Bytes JMP 001710A0 .text E:\2x99m4eb.exe[3692] kernel32.dll!MoveFileW 7561A173 5 Bytes JMP 00172570 .text E:\2x99m4eb.exe[3692] kernel32.dll!CreateFileW 75630B5D 5 Bytes JMP 00171290 .text E:\2x99m4eb.exe[3692] kernel32.dll!CreateFileA 756328FC 5 Bytes JMP 001711C0 .text E:\2x99m4eb.exe[3692] kernel32.dll!CopyFileA 75647CFC 1 Byte [E9] .text E:\2x99m4eb.exe[3692] kernel32.dll!CopyFileA 75647CFC 5 Bytes JMP 00171000 .text E:\2x99m4eb.exe[3692] kernel32.dll!MoveFileA 7566AD49 5 Bytes JMP 00172510 .text E:\2x99m4eb.exe[3692] WS2_32.dll!GetAddrInfoW 758560F5 5 Bytes JMP 00171D10 .text E:\2x99m4eb.exe[3692] WS2_32.dll!send 7585C4C8 5 Bytes JMP 00177250 .text E:\2x99m4eb.exe[3692] WININET.dll!HttpSendRequestW 75B4EEF3 5 Bytes JMP 00172160 .text E:\2x99m4eb.exe[3692] WININET.dll!InternetWriteFile 75B69138 5 Bytes JMP 001723A0 .text E:\2x99m4eb.exe[3692] WININET.dll!HttpSendRequestA 75BC00FC 5 Bytes JMP 001720A0 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395495537 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395495537 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Zdmcmb C:\Users\Sylwek\AppData\Roaming\Zdmcmb.exe ---- Files - GMER 2.1 ---- File C:\Users\Sylwek\AppData\Roaming\Zdmcmb.exe 796723 bytes executable ---- EOF - GMER 2.1 ----