GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-06 15:03:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001 465,76GB Running: gmer.exe; Driver: C:\Temp\uxliapoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1968] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075c98769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7e32f0 7 bytes JMP 000007fefd7d00d8 .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7eaa60 5 bytes JMP 000007fefd7d0180 .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7eac00 5 bytes JMP 000007fefd7d0110 .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f9ac0 5 bytes JMP 000007fefd7d0148 .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe498840 8 bytes JMP 000007fefd7d01f0 .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe49b9f0 8 bytes JMP 000007fefd7d01b8 .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef62cdc88 5 bytes JMP 000007fef60c00d8 .text C:\Windows\system32\Dwm.exe[2104] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef62cde10 5 bytes JMP 000007fef60c0110 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3840] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075c98769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7e32f0 7 bytes JMP 000007fefd7d00d8 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7eaa60 5 bytes JMP 000007fefd7d0180 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7eac00 5 bytes JMP 000007fefd7d0110 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f9ac0 5 bytes JMP 000007fefd7d0148 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe498840 8 bytes JMP 000007fefd7d01f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe49b9f0 8 bytes JMP 000007fefd7d01b8 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc86d10 11 bytes JMP 000007fefd7d0228 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3392] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdc9b4f0 7 bytes JMP 000007fefd7d0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000775ca3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000775d3f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775effd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775ff3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077629c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077639710 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077658ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7e32f0 7 bytes JMP 000007fefd7d00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7eaa60 5 bytes JMP 000007fefd7d0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7eac00 5 bytes JMP 000007fefd7d0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f9ac0 5 bytes JMP 000007fefd7d0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe498840 8 bytes JMP 000007fefd7d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe49b9f0 8 bytes JMP 000007fefd7d01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc86d10 11 bytes JMP 000007fefd7d0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8512] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdc9b4f0 7 bytes JMP 000007fefd7d0260 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 00000000739eb4e3 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 00000000739eb54d .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076868a29 5 bytes JMP 0000000074ed3880 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000075031003 2 bytes [03, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000075031016 2 bytes [03, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000756b5e75 5 bytes JMP 0000000074ed3840 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756e9cbb 5 bytes JMP 0000000074ed3720 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075641401 2 bytes JMP 75cbb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075641419 2 bytes JMP 75cbb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075641431 2 bytes JMP 75d39149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007564144a 2 bytes CALL 75c94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756414dd 2 bytes JMP 75d38a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756414f5 2 bytes JMP 75d38c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007564150d 2 bytes JMP 75d38938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075641525 2 bytes JMP 75d38d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007564153d 2 bytes JMP 75cafcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075641555 2 bytes JMP 75cb6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007564156d 2 bytes JMP 75d39201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075641585 2 bytes JMP 75d38d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007564159d 2 bytes JMP 75d388fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756415b5 2 bytes JMP 75cafd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756415cd 2 bytes JMP 75cbb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756416b2 2 bytes JMP 75d390c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[5960] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756416bd 2 bytes JMP 75d38891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 0000000074ed4a80 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 0000000074ed43b0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076868a29 5 bytes JMP 0000000074ed3880 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000075031003 2 bytes [03, 75] .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000075031016 2 bytes [03, 75] .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000756b5e75 5 bytes JMP 0000000074ed3840 .text C:\Program Files (x86)\Launch Manager\LMworker.exe[7344] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756e9cbb 5 bytes JMP 0000000074ed3720 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 0000000074ed4a80 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 0000000074ed43b0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076868a29 5 bytes JMP 0000000074ed3880 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000756b5e75 5 bytes JMP 0000000074ed3840 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756e9cbb 5 bytes JMP 0000000074ed3720 .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000075031003 2 bytes [03, 75] .text C:\Program Files (x86)\Launch Manager\LMutilps32.exe[1224] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000075031016 2 bytes [03, 75] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000775ca3f0 7 bytes JMP 000000006fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000775d3f00 5 bytes JMP 000000006fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775effd0 5 bytes JMP 000000006fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775ff3f0 5 bytes JMP 000000006fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077629c80 7 bytes JMP 000000006fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077639710 5 bytes JMP 000000006fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077658ab0 7 bytes JMP 000000006fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7e32f0 7 bytes JMP 000007fefd7d00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7eaa60 5 bytes JMP 000007fefd7d0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7eac00 5 bytes JMP 000007fefd7d0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f9ac0 5 bytes JMP 000007fefd7d0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe498840 8 bytes JMP 000007fefd7d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe49b9f0 8 bytes JMP 000007fefd7d01b8 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 0000000074ed4a80 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 0000000074ed43b0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076868a29 5 bytes JMP 0000000074ed3880 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000756b5e75 5 bytes JMP 0000000074ed3840 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756e9cbb 5 bytes JMP 0000000074ed3720 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000075031003 2 bytes [03, 75] .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000075031016 2 bytes [03, 75] .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075641401 2 bytes JMP 75cbb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075641419 2 bytes JMP 75cbb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075641431 2 bytes JMP 75d39149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007564144a 2 bytes CALL 75c94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756414dd 2 bytes JMP 75d38a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756414f5 2 bytes JMP 75d38c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007564150d 2 bytes JMP 75d38938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075641525 2 bytes JMP 75d38d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007564153d 2 bytes JMP 75cafcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075641555 2 bytes JMP 75cb6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007564156d 2 bytes JMP 75d39201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075641585 2 bytes JMP 75d38d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007564159d 2 bytes JMP 75d388fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756415b5 2 bytes JMP 75cafd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756415cd 2 bytes JMP 75cbb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756416b2 2 bytes JMP 75d390c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756416bd 2 bytes JMP 75d38891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000775ca3f0 7 bytes JMP 000000006fff0228 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000775d3f00 5 bytes JMP 000000006fff0180 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775effd0 5 bytes JMP 000000006fff01b8 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775ff3f0 5 bytes JMP 000000006fff0110 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077629c80 7 bytes JMP 000000006fff00d8 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077639710 5 bytes JMP 000000006fff0148 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077658ab0 7 bytes JMP 000000006fff01f0 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7e32f0 7 bytes JMP 000007fefd7d00d8 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7eaa60 5 bytes JMP 000007fefd7d0180 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7eac00 5 bytes JMP 000007fefd7d0110 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f9ac0 5 bytes JMP 000007fefd7d0148 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe498840 8 bytes JMP 000007fefd7d01f0 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe49b9f0 8 bytes JMP 000007fefd7d01b8 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc86d10 11 bytes JMP 000007fefd7d0228 .text C:\Windows\system32\taskmgr.exe[8968] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdc9b4f0 7 bytes JMP 000007fefd7d0260 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 0000000074ed4a80 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 0000000074ed43b0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\user32.dll!CreateWindowExW 0000000076868a29 5 bytes JMP 0000000074ed3880 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\user32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\user32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\user32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\user32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000756b5e75 5 bytes JMP 0000000074ed3840 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756e9cbb 5 bytes JMP 0000000074ed3720 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075641401 2 bytes JMP 75cbb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075641419 2 bytes JMP 75cbb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075641431 2 bytes JMP 75d39149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007564144a 2 bytes CALL 75c94885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756414dd 2 bytes JMP 75d38a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756414f5 2 bytes JMP 75d38c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007564150d 2 bytes JMP 75d38938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075641525 2 bytes JMP 75d38d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007564153d 2 bytes JMP 75cafcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075641555 2 bytes JMP 75cb6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007564156d 2 bytes JMP 75d39201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075641585 2 bytes JMP 75d38d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007564159d 2 bytes JMP 75d388fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756415b5 2 bytes JMP 75cafd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756415cd 2 bytes JMP 75cbb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756416b2 2 bytes JMP 75d390c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[5756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756416bd 2 bytes JMP 75d38891 C:\Windows\syswow64\kernel32.dll ? C:\Windows\System32\NLSData0000.dll [5756] entry point in ".rdata" section 0000000061dec541 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 0000000074ed4a80 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 0000000074ed43b0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076868a29 5 bytes JMP 0000000074ed3880 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000756b5e75 5 bytes JMP 0000000074ed3840 .text C:\Windows\SysWOW64\wscript.exe[2112] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756e9cbb 5 bytes JMP 0000000074ed3720 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7e32f0 7 bytes JMP 000007fefd7d00d8 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7eaa60 5 bytes JMP 000007fefd7d0180 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7eac00 5 bytes JMP 000007fefd7d0110 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f9ac0 5 bytes JMP 000007fefd7d0148 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdc86d10 11 bytes JMP 000007fefd7d0228 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdc9b4f0 7 bytes JMP 000007fefd7d0260 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe498840 8 bytes JMP 000007fefd7d01f0 .text C:\Windows\system32\DllHost.exe[6048] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe49b9f0 8 bytes JMP 000007fefd7d01b8 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 0000000074ed4a80 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 0000000074ed43b0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\user32.dll!CreateWindowExW 0000000076868a29 5 bytes JMP 0000000074ed3880 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\user32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\user32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\user32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\user32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000756b5e75 5 bytes JMP 0000000074ed3840 .text C:\Program Files (x86)\TC PowerPack 2\totalcmd.exe[6244] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000756e9cbb 5 bytes JMP 0000000074ed3720 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000775ca3f0 7 bytes JMP 000000006fff0228 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\kernel32.dll!RegQueryValueExW 00000000775d3f00 5 bytes JMP 000000006fff0180 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\kernel32.dll!RegDeleteValueW 00000000775effd0 5 bytes JMP 000000006fff01b8 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000775ff3f0 5 bytes JMP 000000006fff0110 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077629c80 7 bytes JMP 000000006fff00d8 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077639710 5 bytes JMP 000000006fff0148 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077658ab0 7 bytes JMP 000000006fff01f0 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7e32f0 7 bytes JMP 000007fefd7d00d8 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7eaa60 5 bytes JMP 000007fefd7d0180 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd7eac00 5 bytes JMP 000007fefd7d0110 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f9ac0 5 bytes JMP 000007fefd7d0148 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe498840 8 bytes JMP 000007fefd7d01f0 .text D:\Download\Mozilla Firefox\FRST\FRST64.exe[6460] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe49b9f0 8 bytes JMP 000007fefd7d01b8 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075c91eee 7 bytes JMP 0000000074ed5270 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075c95b85 7 bytes JMP 0000000074ed58b0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075ca1409 7 bytes JMP 0000000074ed54c0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000075caea5d 7 bytes JMP 0000000074ed5260 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075d390c4 7 bytes JMP 0000000074ed4890 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075d39149 5 bytes JMP 0000000074ed4a70 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075d3949f 5 bytes JMP 0000000074ed48a0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075c41e4c 5 bytes JMP 0000000074ed47b0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075c41efa 5 bytes JMP 0000000074ed46c0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c42bdc 5 bytes JMP 0000000074ed4a80 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075c42e7e 5 bytes JMP 0000000074ed43b0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000075dbe757 5 bytes JMP 0000000074ed39c0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000075dbe991 5 bytes JMP 0000000074ed39d0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076875645 5 bytes JMP 0000000074ed4340 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007688f61f 5 bytes JMP 0000000074ed43a0 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000768b0867 5 bytes JMP 0000000074ed3600 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 00000000768c7af4 5 bytes JMP 0000000074ed4310 .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 0000000075031003 2 bytes [03, 75] .text D:\Download\Mozilla Firefox\gmer\gmer.exe[6572] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 0000000075031016 2 bytes [03, 75] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\winlogon.exe[496] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefafa2950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[496] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefafa2830] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[496] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefafa2950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[496] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefafa2830] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1108] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefafa2950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1108] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefafa2830] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1108] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefafa2950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1108] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefafa2830] c:\windows\system32\uxtuneup.dll ---- Threads - GMER 2.2 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3512:2924] 0000000077a1046c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3512:4456] 00000000775a758d Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3512:3532] 0000000077a0f523 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9f2085a Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9f2085a (not active ControlSet) ---- EOF - GMER 2.2 ----