GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-07 14:40:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 WDC_WD5000AZRX-00A8LB0 rev.01.01A01 465,76GB Running: rtf23u7c.exe; Driver: C:\Users\dom\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\uTorrent.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000731a11a8 2 bytes [1A, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 00000000731a127d 2 bytes CALL 760014c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 00000000731a1310 2 bytes CALL 760014c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000731a13a8 2 bytes [1A, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000731a1422 2 bytes [1A, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4972] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000731a1498 2 bytes [1A, 73] .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[5176] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[5952] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076008791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[4948] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe[5676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Users\dom\AppData\Local\Temp\TeamViewer\TeamViewer.exe[6536] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\DllHost.exe[4172] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 7602b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 7602b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 760a90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 760048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 760a89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 760a8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 760a88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 760a8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 7601fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76026937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 760a91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 760a8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 760a88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 7601fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 7602b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 760a906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 760a8839 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\winlogon.exe[728] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa832840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[728] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa832720] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1040] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa832840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1040] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa832720] c:\windows\system32\uxtuneup.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fefab7741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fefab75f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fefab75674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fefab75e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fefab77f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fefab76a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fefab76ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fefab77b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fefab77ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fefab778b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fefab74fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fefab75d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3084] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fefab77584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.2 ---- Library C:\Users\dom\AppData\Roaming\Enigma Software Group\sh_installer.exe (*** suspicious ***) @ C:\Users\dom\AppData\Roaming\Enigma Software Group\sh_installer.exe [4172] 0000000000fd0000 ---- EOF - GMER 2.2 ----