GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-10 02:59:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3265GSX rev.GJ002J 298,09GB Running: u4rqhpwv.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uxldakob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!XLATEOBJ_iXlate + 665 fffff9600012bfad 13 bytes {MOV EAX, 0x42db0bc; CMP AL, 0xff; CALL QWORD [RAX-0x3d]} .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000145c00 8 bytes [74, 71, ED, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000175800 7 bytes [40, 58, F3, FF, C1, 64, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000175808 3 bytes [C0, 06, 02] .text ... * 106 .text C:\Windows\System32\win32k.sys!EngQueryW32kCddInterface + 784 fffff9600023df08 6 bytes {JMP QWORD [RIP-0xbc5aa]} .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 732 fffff960002ac814 8 bytes [8C, 83, ED, 03, 80, F8, FF, ...] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077282171 12 bytes [B8, 88, 74, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077285be1 14 bytes [B8, 98, 73, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772abc20 5 bytes [48, B8, A4, 2A, 03] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772abc28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772ac030 5 bytes [48, B8, 78, 13, 03] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000772ac038 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772ac080 5 bytes [48, B8, 9C, 24, 03] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772ac088 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 00000000772ac250 5 bytes [48, B8, 54, 29, 03] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 00000000772ac258 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772ac270 5 bytes [48, B8, AC, 22, 03] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000772ac278 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 00000000772ac288 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ac380 5 bytes [48, B8, 3C, 2B, 03] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 00000000772ac388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772ac450 5 bytes [48, B8, 0C, 24, 03] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 00000000772ac458 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000772ad020 6 bytes [48, B8, 68, 23, 03, 00] .text C:\Windows\system32\csrss.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000772ad028 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!CallNextHookEx + 1 000000007704baad 14 bytes [B8, C0, 7A, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetAsyncKeyState + 1 000000007704c6dd 18 bytes [B8, FC, 75, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!PostThreadMessageW + 121 0000000077050bdd 12 bytes [B8, F8, 80, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!PeekMessageA + 1 00000000770539f1 14 bytes [B8, A8, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!IsProcessDPIAware + 364 0000000077054810 15 bytes [48, B8, D4, 7F, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetKeyState + 1 0000000077054ff1 18 bytes [B8, FC, 76, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetMessageA + 1 0000000077056121 14 bytes [B8, 08, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!PeekMessageW + 1 0000000077059011 14 bytes [B8, 00, 11, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetMessageW 0000000077059ea4 12 bytes [48, B8, 58, 10, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetLastActivePopup + 93 00000000770689a9 14 bytes [B8, 60, A9, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077068a10 6 bytes [48, B8, FC, 77, 03, 00] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetKeyboardState + 8 0000000077068a18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetRawInputData 000000007706aff0 6 bytes [48, B8, C0, 74, 03, 00] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetRawInputData + 8 000000007706aff8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!EndTask + 1 0000000077091699 17 bytes [B8, 34, 22, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[488] C:\Windows\system32\USER32.dll!GetRawInputBuffer + 1 00000000770a5121 12 bytes [B8, 94, 75, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077282171 12 bytes [B8, 88, 74, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077285be1 14 bytes [B8, 98, 73, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772abc20 5 bytes [48, B8, A4, 2A, 03] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772abc28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772ac030 5 bytes [48, B8, 78, 13, 03] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000772ac038 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772ac080 5 bytes [48, B8, 9C, 24, 03] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772ac088 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 00000000772ac250 5 bytes [48, B8, 54, 29, 03] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 00000000772ac258 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772ac270 5 bytes [48, B8, AC, 22, 03] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000772ac278 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 00000000772ac288 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ac380 5 bytes [48, B8, 3C, 2B, 03] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 00000000772ac388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772ac450 5 bytes [48, B8, 0C, 24, 03] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 00000000772ac458 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000772ad020 6 bytes [48, B8, 68, 23, 03, 00] .text C:\Windows\system32\csrss.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000772ad028 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!CallNextHookEx + 1 000000007704baad 14 bytes [B8, C0, 7A, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetAsyncKeyState + 1 000000007704c6dd 18 bytes [B8, FC, 75, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!PostThreadMessageW + 121 0000000077050bdd 12 bytes [B8, F8, 80, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!PeekMessageA + 1 00000000770539f1 14 bytes [B8, A8, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!IsProcessDPIAware + 364 0000000077054810 15 bytes [48, B8, D4, 7F, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetKeyState + 1 0000000077054ff1 18 bytes [B8, FC, 76, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetMessageA + 1 0000000077056121 14 bytes [B8, 08, 10, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!PeekMessageW + 1 0000000077059011 14 bytes [B8, 00, 11, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetMessageW 0000000077059ea4 12 bytes [48, B8, 58, 10, 03, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetLastActivePopup + 93 00000000770689a9 14 bytes [B8, 60, A9, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077068a10 6 bytes [48, B8, FC, 77, 03, 00] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetKeyboardState + 8 0000000077068a18 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetRawInputData 000000007706aff0 6 bytes [48, B8, C0, 74, 03, 00] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetRawInputData + 8 000000007706aff8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!EndTask + 1 0000000077091699 17 bytes [B8, 34, 22, 03, 00, 00, 00, ...] .text C:\Windows\system32\csrss.exe[576] C:\Windows\system32\USER32.dll!GetRawInputBuffer + 1 00000000770a5121 12 bytes [B8, 94, 75, 03, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077282171 12 bytes [B8, 88, 74, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077285be1 14 bytes [B8, 98, 73, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772abc20 5 bytes [48, B8, A4, 2A, 06] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772abc28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772ac030 5 bytes [48, B8, 78, 13, 06] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000772ac038 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772ac080 5 bytes [48, B8, 9C, 24, 06] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772ac088 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 00000000772ac250 5 bytes [48, B8, 54, 29, 06] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 00000000772ac258 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772ac270 5 bytes [48, B8, AC, 22, 06] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000772ac278 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 00000000772ac288 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ac380 5 bytes [48, B8, 3C, 2B, 06] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 00000000772ac388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772ac450 5 bytes [48, B8, 0C, 24, 06] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 00000000772ac458 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000772ad020 6 bytes [48, B8, 68, 23, 06, 00] .text C:\Windows\Explorer.EXE[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000772ad028 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefdb0d871 14 bytes [B8, FC, 93, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb26d10 8 bytes [48, B8, 6C, 93, 06, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007fefdb26d1a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007fefdb324f9 14 bytes [B8, 6C, 94, 06, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefdd11c78 14 bytes [48, B8, 9C, A9, 06, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\samcli.dll!NetUserSetInfo + 1 000007fefb0568bd 1 byte [B8] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\samcli.dll!NetUserSetInfo + 3 000007fefb0568bf 12 bytes [26, 06, 00, 00, 00, 00, 00, ...] .text C:\Windows\Explorer.EXE[1532] C:\Windows\system32\samcli.dll!NetUserChangePassword 000007fefb057e18 15 bytes [48, B8, 7C, 27, 06, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077282171 12 bytes [B8, 88, 74, 05, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077285be1 14 bytes [B8, 98, 73, 05, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772abc20 5 bytes [48, B8, A4, 2A, 05] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772abc28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772ac030 5 bytes [48, B8, 78, 13, 05] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 00000000772ac038 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772ac080 5 bytes [48, B8, 9C, 24, 05] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772ac088 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 00000000772ac250 5 bytes [48, B8, 54, 29, 05] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 00000000772ac258 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772ac270 5 bytes [48, B8, AC, 22, 05] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000772ac278 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 00000000772ac288 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ac380 5 bytes [48, B8, 3C, 2B, 05] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 00000000772ac388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772ac450 5 bytes [48, B8, 0C, 24, 05] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 00000000772ac458 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000772ad020 6 bytes [48, B8, 68, 23, 05, 00] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000772ad028 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefdb0d871 14 bytes [B8, FC, 93, 05, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb26d10 8 bytes [48, B8, 6C, 93, 05, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007fefdb26d1a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007fefdb324f9 14 bytes [B8, 6C, 94, 05, 00, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[1780] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefdd11c78 14 bytes [48, B8, 9C, A9, 05, 00, 00, ...] .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758c1401 2 bytes JMP 76d5b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758c1419 2 bytes JMP 76d5b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758c1431 2 bytes JMP 76dd90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758c144a 2 bytes CALL 76d348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758c14dd 2 bytes JMP 76dd89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758c14f5 2 bytes JMP 76dd8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758c150d 2 bytes JMP 76dd88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758c1525 2 bytes JMP 76dd8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758c153d 2 bytes JMP 76d4fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758c1555 2 bytes JMP 76d56937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758c156d 2 bytes JMP 76dd91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758c1585 2 bytes JMP 76dd8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758c159d 2 bytes JMP 76dd88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758c15b5 2 bytes JMP 76d4fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758c15cd 2 bytes JMP 76d5b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758c16b2 2 bytes JMP 76dd906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758c16bd 2 bytes JMP 76dd8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtClose + 1 000000007745f9f1 3 bytes [0B, 1D, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtClose + 5 000000007745f9f5 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory + 1 0000000077460049 3 bytes [88, 11, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory + 5 000000007746004d 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000774600c5 3 bytes [08, 1A, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000774600c9 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 1 0000000077460399 3 bytes [68, 1C, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 5 000000007746039d 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000774603c9 3 bytes [96, 19, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000774603cd 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 1 00000000774603e1 3 bytes [E0, 1B, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 5 00000000774603e5 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 1 0000000077460561 3 bytes [34, 1D, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 0000000077460565 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 00000000774606a5 3 bytes [E2, 19, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 00000000774606a9 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000774618d1 3 bytes [BC, 19, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000774618d5 2 bytes [50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007747c0f0 7 bytes [B8, 0D, 77, 05, 00, 50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007747c99d 8 bytes [B8, 42, 84, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076d38791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000759678f2 8 bytes [B8, 8D, 1D, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075967be3 8 bytes [B8, 45, 1D, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075968342 7 bytes [B8, DD, 18, 05, 00, 50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!RegisterClassW + 237 0000000075968b62 8 bytes [B8, B6, 5B, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000759705ca 11 bytes [B8, 20, 1E, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007597292f 11 bytes [B8, EE, 77, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075975f84 11 bytes [B8, D5, 1D, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075976120 7 bytes [B8, B7, 18, 05, 00, 50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075976295 12 bytes [B8, 3C, 79, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!ScrollWindowEx + 84 000000007598d5d3 8 bytes [B8, DA, 73, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007598ebb6 7 bytes [B8, 41, 77, 05, 00, 50, C3] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 000000007598ec89 3 bytes [9B, 78, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 000000007598ec8d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 00000000759b8240 11 bytes [B8, 9A, 56, 05, 00, 50, C3, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 00000000759c8438 3 bytes [FD, 55, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 00000000759c843c 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!EndTask + 1 00000000759ca8b7 3 bytes [4F, 19, 05] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2572] C:\Windows\syswow64\USER32.dll!EndTask + 5 00000000759ca8bb 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtClose + 1 000000007745f9f1 3 bytes [0B, 1D, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtClose + 5 000000007745f9f5 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory + 1 0000000077460049 3 bytes [88, 11, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory + 5 000000007746004d 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000774600c5 3 bytes [08, 1A, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000774600c9 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 1 0000000077460399 3 bytes [68, 1C, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 5 000000007746039d 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000774603c9 3 bytes [96, 19, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000774603cd 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 1 00000000774603e1 3 bytes [E0, 1B, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 5 00000000774603e5 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 1 0000000077460561 3 bytes [34, 1D, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 0000000077460565 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 00000000774606a5 3 bytes [E2, 19, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 00000000774606a9 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000774618d1 3 bytes [BC, 19, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000774618d5 2 bytes [50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007747c0f0 7 bytes [B8, 0D, 77, 05, 00, 50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007747c99d 8 bytes [B8, 42, 84, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000759678f2 8 bytes [B8, 8D, 1D, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075967be3 8 bytes [B8, 45, 1D, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075968342 7 bytes [B8, DD, 18, 05, 00, 50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!RegisterClassW + 237 0000000075968b62 8 bytes [B8, B6, 5B, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000759705ca 11 bytes [B8, 20, 1E, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007597292f 11 bytes [B8, EE, 77, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075975f84 11 bytes [B8, D5, 1D, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075976120 7 bytes [B8, B7, 18, 05, 00, 50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075976295 12 bytes [B8, 3C, 79, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!ScrollWindowEx + 84 000000007598d5d3 8 bytes [B8, DA, 73, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007598ebb6 7 bytes [B8, 41, 77, 05, 00, 50, C3] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 000000007598ec89 3 bytes [9B, 78, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 000000007598ec8d 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 00000000759b8240 11 bytes [B8, 9A, 56, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 00000000759c8438 3 bytes [FD, 55, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 00000000759c843c 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!EndTask + 1 00000000759ca8b7 3 bytes [4F, 19, 05] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\USER32.dll!EndTask + 5 00000000759ca8bb 5 bytes [50, C3, 90, 90, 90] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000756a546d 10 bytes [B8, 20, 6A, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756b9cbb 8 bytes [B8, 90, 87, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000756b9cfe 9 bytes [B8, FA, 69, 05, 00, 50, C3, ...] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[4716] C:\Windows\syswow64\MSCTF.dll!TF_Notify 0000000076a83a1d 7 bytes [B8, 07, 74, 05, 00, 50, C3] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 1 0000000077282171 12 bytes [B8, 88, 74, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll + 1 0000000077285be1 14 bytes [B8, 98, 73, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772abc20 5 bytes [48, B8, A4, 2A, 06] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 00000000772abc28 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772ac080 5 bytes [48, B8, 9C, 24, 06] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000772ac088 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort 00000000772ac250 5 bytes [48, B8, 54, 29, 06] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcAcceptConnectPort + 8 00000000772ac258 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772ac270 5 bytes [48, B8, AC, 22, 06] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort + 8 00000000772ac278 13 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcCreatePort + 8 00000000772ac288 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000772ac380 5 bytes [48, B8, 3C, 2B, 06] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 8 00000000772ac388 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000772ac450 5 bytes [48, B8, 0C, 24, 06] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort + 8 00000000772ac458 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort 00000000772ad020 6 bytes [48, B8, 68, 23, 06, 00] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\SYSTEM32\ntdll.dll!NtSecureConnectPort + 8 00000000772ad028 8 bytes [00, 00, 50, C3, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\MSCTF.dll!TF_Notify 000007fefdd11c78 14 bytes [48, B8, 9C, A9, 06, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\ole32.dll!CoCreateInstanceEx + 1 000007fefdb0d871 14 bytes [B8, FC, 93, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb26d10 8 bytes [48, B8, 6C, 93, 06, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\ole32.dll!CoCreateInstance + 10 000007fefdb26d1a 8 bytes [50, C3, 90, 90, 90, 90, 90, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\ole32.dll!CoGetClassObject + 1 000007fefdb324f9 14 bytes [B8, 6C, 94, 06, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\SAMCLI.DLL!NetUserSetInfo + 1 000007fefb0568bd 1 byte [B8] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\SAMCLI.DLL!NetUserSetInfo + 3 000007fefb0568bf 12 bytes [26, 06, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\taskmgr.exe[2280] C:\Windows\system32\SAMCLI.DLL!NetUserChangePassword 000007fefb057e18 15 bytes [48, B8, 7C, 27, 06, 00, 00, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtClose + 1 000000007745f9f1 3 bytes [0B, 1D, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtClose + 5 000000007745f9f5 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 1 00000000774600c5 3 bytes [08, 1A, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000774600c9 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 1 0000000077460399 3 bytes [68, 1C, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcAcceptConnectPort + 5 000000007746039d 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 1 00000000774603c9 3 bytes [96, 19, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 5 00000000774603cd 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 1 00000000774603e1 3 bytes [E0, 1B, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcCreatePort + 5 00000000774603e5 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 1 0000000077460561 3 bytes [34, 1D, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 0000000077460565 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 1 00000000774606a5 3 bytes [E2, 19, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 5 00000000774606a9 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 1 00000000774618d1 3 bytes [BC, 19, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!NtSecureConnectPort + 5 00000000774618d5 2 bytes [50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 000000007747c0f0 7 bytes [B8, 0D, 77, 19, 00, 50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007747c99d 8 bytes [B8, 42, 84, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000759678f2 8 bytes [B8, 8D, 1D, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000075967be3 8 bytes [B8, 45, 1D, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075968342 7 bytes [B8, DD, 18, 19, 00, 50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!RegisterClassW + 237 0000000075968b62 8 bytes [B8, B6, 5B, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000759705ca 11 bytes [B8, 20, 1E, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007597292f 11 bytes [B8, EE, 77, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000075975f84 11 bytes [B8, D5, 1D, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075976120 7 bytes [B8, B7, 18, 19, 00, 50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075976295 12 bytes [B8, 3C, 79, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!ScrollWindowEx + 84 000000007598d5d3 8 bytes [B8, DA, 73, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007598ebb6 7 bytes [B8, 41, 77, 19, 00, 50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 1 000000007598ec89 3 bytes [9B, 78, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 5 000000007598ec8d 5 bytes [50, C3, 90, 90, 90] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetRawInputBuffer 00000000759b8240 11 bytes [B8, 9A, 56, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetRawInputData + 1 00000000759c8438 3 bytes [FD, 55, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!GetRawInputData + 5 00000000759c843c 5 bytes [50, C3, 90, 90, 90] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!EndTask + 1 00000000759ca8b7 3 bytes [4F, 19, 19] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\USER32.dll!EndTask + 5 00000000759ca8bb 5 bytes [50, C3, 90, 90, 90] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\MSCTF.dll!TF_Notify 0000000076a83a1d 7 bytes [B8, 07, 74, 19, 00, 50, C3] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\ole32.dll!CoGetClassObject 00000000756a546d 10 bytes [B8, 20, 6A, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756b9cbb 8 bytes [B8, 90, 87, 19, 00, 50, C3, ...] .text C:\Users\Admin\Desktop\u4rqhpwv.exe[1524] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000756b9cfe 9 bytes [B8, FA, 69, 19, 00, 50, C3, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IofCompleteRequest] [fffff880042e208c] \??\C:\Program Files (x86)\SpyShelter Free Anti-keylogger\SpyShelter.sys [.text] ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [376:2512] 000007fef7989688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD4 0xD7 0x67 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD4 0xD7 0x67 0xB1 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Admin\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- EOF - GMER 2.2 ----