Matthias, ich kann heute wahrscheinlich nicht mehr antworten. Gmer.txt: Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-04-18 18:41:36
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC3O 298,09GB
Running: Gmer-19357.exe; Driver: C:\Users\kami\AppData\Local\Temp\pxldqpow.sys
---- Kernel code sections - GMER 2.1 ----
.text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000124c00 7 bytes [00, 93, F3, FF, 41, A4, F0]
.text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000124c08 3 bytes [00, 07, 02]
---- User code sections - GMER 2.1 ----
.text C:\windows\system32\taskhost.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007729de30 6 bytes {JMP QWORD [RIP+0x8ea2200]}
.text C:\windows\system32\taskhost.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007729de40 6 bytes {JMP QWORD [RIP+0x8f021f0]}
.text C:\windows\system32\taskhost.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007729df00 6 bytes {JMP QWORD [RIP+0x8ee2130]}
.text C:\windows\system32\taskhost.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007729e120 6 bytes {JMP QWORD [RIP+0x8ec1f10]}
.text C:\windows\system32\taskhost.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007729e1d0 6 bytes {JMP QWORD [RIP+0x8e61e60]}
.text C:\windows\system32\taskhost.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007729e760 6 bytes {JMP QWORD [RIP+0x8e818d0]}
.text C:\windows\system32\taskhost.exe[2684] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007729f100 6 bytes {JMP QWORD [RIP+0x8f20f30]}
.text C:\windows\system32\taskhost.exe[2684] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd3fa6f5 3 bytes [15, 59, 05]
.text C:\windows\Explorer.EXE[3100] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007729de30 6 bytes {JMP QWORD [RIP+0x8ea2200]}
.text C:\windows\Explorer.EXE[3100] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007729de40 6 bytes {JMP QWORD [RIP+0x8f021f0]}
.text C:\windows\Explorer.EXE[3100] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007729df00 6 bytes {JMP QWORD [RIP+0x8ee2130]}
.text C:\windows\Explorer.EXE[3100] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007729e120 6 bytes {JMP QWORD [RIP+0x8ec1f10]}
.text C:\windows\Explorer.EXE[3100] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007729e1d0 6 bytes {JMP QWORD [RIP+0x8e61e60]}
.text C:\windows\Explorer.EXE[3100] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007729e760 6 bytes {JMP QWORD [RIP+0x8e818d0]}
.text C:\windows\Explorer.EXE[3100] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007729f100 6 bytes {JMP QWORD [RIP+0x8f20f30]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007714dbc0 6 bytes {JMP QWORD [RIP+0x9092470]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd3fa6f5 3 bytes [15, 59, 05]
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\msi.dll!MsiSetInternalUI 000007feed8d5c70 6 bytes {JMP QWORD [RIP+0x9da3c0]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\msi.dll!MsiInstallProductA 000007feed952ad4 2 bytes [FF, 25]
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\msi.dll!MsiInstallProductA + 3 000007feed952ad7 3 bytes [D5, 91, 00]
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\msi.dll!MsiInstallProductW 000007feed96167c 6 bytes {JMP QWORD [RIP+0x92e9b4]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\WINSPOOL.DRV!AddPrintProvidorA 000007fefaec7b34 6 bytes {JMP QWORD [RIP+0x884fc]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\WINSPOOL.DRV!AddPrintProvidorW 000007fefaed03c0 6 bytes {JMP QWORD [RIP+0xcfc70]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefe063030 6 bytes {JMP QWORD [RIP+0x158d000]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\WS2_32.dll!connect + 1 000007fefe0645c1 5 bytes {JMP QWORD [RIP+0x152ba70]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\WS2_32.dll!listen 000007fefe068290 6 bytes {JMP QWORD [RIP+0x1567da0]}
.text C:\windows\Explorer.EXE[3100] C:\windows\system32\WS2_32.dll!WSAConnect 000007fefe08e0f0 6 bytes {JMP QWORD [RIP+0x1521f40]}
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes JMP 7178000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes JMP 7178000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes JMP 716f000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes JMP 716f000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes JMP 7172000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes JMP 7172000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes JMP 7175000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes JMP 7175000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes JMP 717e000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes JMP 717e000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes JMP 717b000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes JMP 717b000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes [6B, 71]
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes [68, 71]
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ea2c9e 4 bytes CALL 71af0000
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000075ee575a 6 bytes JMP 719c000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\syswow64\WS2_32.dll!connect 0000000075ee6bdd 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\syswow64\WS2_32.dll!listen 0000000075eeb001 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\1&1\1&1 Office-Drive Manager\DAVSRV.EXE[8352] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000075eecc3f 6 bytes {JMP QWORD [RIP+0x71a1001e]}
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes [77, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes [6E, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes [71, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes JMP 7175000a
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes JMP 7175000a
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes [7D, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes [7A, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes [6B, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes [68, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ea2c9e 4 bytes {CALL QWORD [RIP+0x71af000a]}
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b09679 6 bytes {JMP QWORD [RIP+0x718c001e]}
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b112a5 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b13baa 6 bytes {JMP QWORD [RIP+0x7189001e]}
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!GetMenu + 412 0000000076b151dd 7 bytes JMP 000000011003ac50
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!PeekMessageA + 407 0000000076b1610b 7 bytes JMP 000000011003b000
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b1612e 6 bytes {JMP QWORD [RIP+0x718f001e]}
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 131 0000000076b1c6c1 7 bytes JMP 000000011003abc0
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!SendInput 0000000076b2ff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff4e 2 bytes [92, 71]
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 0000000076b5fc98 7 bytes JMP 000000011003af50
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 0000000076b5fcd1 7 bytes JMP 000000011003adf0
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!MessageBoxExA + 31 0000000076b5fcf5 7 bytes JMP 000000011003af00
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b6027b 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[8548] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b602bf 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\Sony Corporation\Image Transfer\SonyTray.exe[8700] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sony Corporation\Image Transfer\SonyTray.exe[8700] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes [7A, 71]
.text C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe[9012] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd3fa6f5 3 bytes CALL 0
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes [89, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes [80, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes [83, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes [86, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes [8F, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes [8C, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes [7D, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076413b93 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes [7A, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ea2c9e 4 bytes CALL 71af0000
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b09679 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b112a5 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b13baa 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b1612e 6 bytes JMP 71a2000a
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!SendInput 0000000076b2ff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff4e 2 bytes [A4, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b6027b 6 bytes {JMP QWORD [RIP+0x71aa001e]}
.text C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe[9176] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b602bf 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes [77, 71]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes JMP 716f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes JMP 716f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes JMP 7172000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes JMP 7172000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes JMP 7175000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes JMP 7175000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes JMP 717e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes JMP 717e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes JMP 717b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes JMP 717b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes [6B, 71]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes [68, 71]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000075ee575a 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\syswow64\WS2_32.dll!connect 0000000075ee6bdd 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\syswow64\WS2_32.dll!listen 0000000075eeb001 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[9188] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000075eecc3f 6 bytes {JMP QWORD [RIP+0x71a1001e]}
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes JMP 716f000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes JMP 716f000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes JMP 7166000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes JMP 7166000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes [68, 71]
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes JMP 716c000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes JMP 716c000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes JMP 7175000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes JMP 7175000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes JMP 7172000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes JMP 7172000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes [62, 71]
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes [5F, 71]
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000075ee575a 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\syswow64\WS2_32.dll!connect 0000000075ee6bdd 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\syswow64\WS2_32.dll!listen 0000000075eeb001 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[1664] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000075eecc3f 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes [89, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes [80, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes [83, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes [86, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes [8F, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes [8C, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes [7D, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076413b93 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes [7A, 71]
.text C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe[10192] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ea2c9e 4 bytes {CALL QWORD [RIP+0x71af000a]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007729de30 6 bytes {JMP QWORD [RIP+0x8ea2200]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 000000007729de40 6 bytes {JMP QWORD [RIP+0x8f021f0]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007729df00 6 bytes {JMP QWORD [RIP+0x8ee2130]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007729e120 6 bytes {JMP QWORD [RIP+0x8ec1f10]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007729e1d0 6 bytes {JMP QWORD [RIP+0x8e61e60]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 000000007729e760 6 bytes {JMP QWORD [RIP+0x8e818d0]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007729f100 6 bytes {JMP QWORD [RIP+0x8f20f30]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\system32\kernel32.dll!CreateProcessInternalW 000000007714dbc0 6 bytes {JMP QWORD [RIP+0x9092470]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd3fa6f5 3 bytes [15, 59, 49]
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\system32\WS2_32.dll!WSALookupServiceBeginW 000007fefe063030 6 bytes {JMP QWORD [RIP+0x158d000]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\system32\WS2_32.dll!connect + 1 000007fefe0645c1 5 bytes {JMP QWORD [RIP+0x152ba70]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\system32\WS2_32.dll!listen 000007fefe068290 6 bytes {JMP QWORD [RIP+0x1567da0]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\system32\WS2_32.dll!WSAConnect 000007fefe08e0f0 6 bytes {JMP QWORD [RIP+0x1521f40]}
.text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[7176] C:\windows\system32\RASAPI32.dll!RasDialW + 1 000007fefa8a96f5 5 bytes {JMP QWORD [RIP+0x7693c]}
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes JMP 7178000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes JMP 7178000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes JMP 716f000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes JMP 716f000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes JMP 7172000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes JMP 7172000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes JMP 7175000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes JMP 7175000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes JMP 717e000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes JMP 717e000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes JMP 717b000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes JMP 717b000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes JMP 716c000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes JMP 716c000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes JMP 7169000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes JMP 7169000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ea2c9e 4 bytes CALL 71af0000
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b09679 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b112a5 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b13baa 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b1612e 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!SendInput 0000000076b2ff4a 3 bytes JMP 7193000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff4e 2 bytes JMP 7193000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b6027b 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b602bf 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076a170c4 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076a33264 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000075ee575a 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\WS2_32.dll!connect 0000000075ee6bdd 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\WS2_32.dll!listen 0000000075eeb001 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000075eecc3f 6 bytes JMP 71a2000a
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075211401 2 bytes JMP 7642b1ef C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075211419 2 bytes JMP 7642b31a C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075211431 2 bytes JMP 764a8f09 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007521144a 2 bytes CALL 76404885 C:\windows\syswow64\kernel32.dll
.text ... * 9
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752114dd 2 bytes JMP 764a8802 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752114f5 2 bytes JMP 764a89d8 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007521150d 2 bytes JMP 764a86f8 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075211525 2 bytes JMP 764a8ac2 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007521153d 2 bytes JMP 7641fc78 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075211555 2 bytes JMP 764268bf C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007521156d 2 bytes JMP 764a8fc1 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075211585 2 bytes JMP 764a8b22 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007521159d 2 bytes JMP 764a86bc C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752115b5 2 bytes JMP 7641fd11 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752115cd 2 bytes JMP 7642b2b0 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752116b2 2 bytes JMP 764a8e84 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[13044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752116bd 2 bytes JMP 764a8651 C:\windows\syswow64\kernel32.dll
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes JMP 718a000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes JMP 718a000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes JMP 7181000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes JMP 7181000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes JMP 7184000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes JMP 7184000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes JMP 7187000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes JMP 7187000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes JMP 7190000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes JMP 7190000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes JMP 718d000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes JMP 718d000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes JMP 717e000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes JMP 717e000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes JMP 717b000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes JMP 717b000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ea2c9e 4 bytes CALL 71af0000
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b09679 6 bytes JMP 719f000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b112a5 6 bytes JMP 7199000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b13baa 6 bytes JMP 719c000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b1612e 6 bytes JMP 71a2000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!SendInput 0000000076b2ff4a 3 bytes JMP 71a5000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff4e 2 bytes JMP 71a5000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b6027b 6 bytes JMP 71ab000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b602bf 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076a170c4 6 bytes JMP 7193000a
.text C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe[8536] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076a33264 6 bytes JMP 7196000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess 000000007744fc1c 3 bytes JMP 718a000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 4 000000007744fc20 2 bytes JMP 718a000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007744fc34 3 bytes JMP 7181000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4 000000007744fc38 2 bytes JMP 7181000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007744fd60 3 bytes JMP 7184000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007744fd64 2 bytes JMP 7184000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774500b0 3 bytes JMP 7187000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774500b4 2 bytes JMP 7187000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000774501c0 3 bytes JMP 7190000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey + 4 00000000774501c4 2 bytes JMP 7190000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077450a40 3 bytes JMP 718d000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4 0000000077450a44 2 bytes JMP 718d000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007745191c 3 bytes JMP 717e000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread + 4 0000000077451920 2 bytes JMP 717e000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076413b93 3 bytes JMP 717b000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW + 4 0000000076413b97 2 bytes JMP 717b000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075ea2c9e 4 bytes CALL 71af0000
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!SendMessageW 0000000076b09679 6 bytes JMP 719f000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!PostMessageW 0000000076b112a5 6 bytes JMP 7199000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!PostMessageA 0000000076b13baa 6 bytes JMP 719c000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!SendMessageA 0000000076b1612e 6 bytes JMP 71a2000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!SendInput 0000000076b2ff4a 3 bytes JMP 71a5000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!SendInput + 4 0000000076b2ff4e 2 bytes JMP 71a5000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!mouse_event 0000000076b6027b 6 bytes JMP 71ab000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\USER32.dll!keybd_event 0000000076b602bf 6 bytes JMP 71a8000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076a170c4 6 bytes JMP 7193000a
.text C:\Users\kami\Desktop\Gmer-19357.exe[11964] C:\windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076a33264 6 bytes JMP 7196000a
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395d12e69
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395d12e69@001891615130 0x4E 0xF5 0x71 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395d12e69@001a45be5960 0xA1 0xA9 0x4D 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395d12e69@0016b8f80bac 0xC0 0x21 0xB3 0x59 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395d12e69 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395d12e69@001891615130 0x4E 0xF5 0x71 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395d12e69@001a45be5960 0xA1 0xA9 0x4D 0x66 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395d12e69@0016b8f80bac 0xC0 0x21 0xB3 0x59 ...
---- EOF - GMER 2.1 ---- |