GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-10 17:38:34 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LV01 298.09GB Running: zojyiy3t.exe; Driver: C:\Users\BARBAR~2\AppData\Local\Temp\fgldqpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9375259C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x9938B388] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcConnectPort [0x9932EA8C] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcCreatePort [0x9932E55E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0x9932F928] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwConnectPort [0x9932E64C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x9375E7F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x9375E83E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateFile [0x99335316] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x9375E9D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x9375E760] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreatePort [0x9932E46A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x9938B720] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9375E7A8] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThread [0x9932D634] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x9375E992] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDebugActiveProcess [0x9932DD22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x93752602] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDuplicateObject [0x9932E32C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x9938B450] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x993899B4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x93752668] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9375798C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x93754874] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9375E81C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x9375E860] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenFile [0x99335694] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9375E9FC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x9375E786] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0x93756EA8] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenSection [0x9932C7B4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x9375E7D0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenThread [0x9932D8B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x9375E9B6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x9938B5B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x93754740] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwQueueApcThread [0x9932FA44] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestPort [0x9932ECB0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0x9932F018] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRestoreKey [0x9933510E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwResumeThread [0x9932E0CE] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSecureConnectPort [0x9932E86E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x937526CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x93752734] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetContextThread [0x9932DBCC] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetSystemInformation [0x993300E0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9375245A] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwShutdownSystem [0x9932F28A] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendProcess [0x9932E1FE] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendThread [0x9932DF7A] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSystemDebugControl [0x9932DE40] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x9938B678] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwTerminateThread [0x9932DA66] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x993899E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9375279A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x9938B4FC] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThreadEx [0x9932D768] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x993A4BA0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 840E07D0 4 Bytes [9C, 25, 75, 93] .text ntkrnlpa.exe!KeSetEvent + 131 840E07F4 4 Bytes [88, B3, 38, 99] .text ntkrnlpa.exe!KeSetEvent + 13D 840E0800 8 Bytes JMP E55E9932 .text ntkrnlpa.exe!KeSetEvent + 191 840E0854 4 Bytes [28, F9, 32, 99] .text ntkrnlpa.exe!KeSetEvent + 1C1 840E0884 4 Bytes [4C, E6, 32, 99] {DEC ESP; OUT 0x32, AL; CDQ } .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8420B5EF 5 Bytes JMP 993A1A3A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 842644D3 5 Bytes JMP 993A3554 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8426DDEF 4 Bytes CALL 93754F37 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 84271A63 4 Bytes CALL 93754F4D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 842C5DBC 7 Bytes JMP 993A4BA4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8C755000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8C79E000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9180E000, 0x31BA76, 0xE8000020] .text win32k.sys!EngCreateRectRgn + 454E A1A704AD 5 Bytes JMP 93758628 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEraseSurface + FDC A1A80665 5 Bytes JMP 937586CE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreatePalette + C20 A1A896C9 5 Bytes JMP 937593FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + 4A1 A1A8A4B5 5 Bytes JMP 9375956C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + 8C53 A1A92C67 5 Bytes JMP 937579C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + 9360 A1A93374 2 Bytes JMP 9375888C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + 9363 A1A93377 2 Bytes [CC, F1] {INT 3 ; INT1 } .text win32k.sys!XLATEOBJ_iXlate + 616 A1A93BBD 2 Bytes JMP 937591B2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 619 A1A93BC0 2 Bytes [CC, F1] {INT 3 ; INT1 } .text win32k.sys!XFORMOBJ_iGetXform + 30F7 A1A9F2F7 5 Bytes JMP 937584DC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 4569 A1AA0769 5 Bytes JMP 93757D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 46B8 A1AA08B8 5 Bytes JMP 937587C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 4C4D A1AA0E4D 5 Bytes JMP 937587E2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 5235 A1AA1435 5 Bytes JMP 937582F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 11A2A A1ABA305 5 Bytes JMP 9375822C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 11A7E A1ABA359 5 Bytes JMP 93758508 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 377F A1AE14D3 5 Bytes JMP 93759060 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 60DD A1AE3E31 5 Bytes JMP 93757AD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 4D4B A1AEA7BA 5 Bytes JMP 93757DF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBlt + 2B49 A1AF4C4C 5 Bytes JMP 93759614 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStrokePath + 5FF A1AF7B3C 5 Bytes JMP 93757BF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 1D73 A1B01957 5 Bytes JMP 93759162 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + B996 A1B11F03 5 Bytes JMP 937586EC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngNineGrid + 8C4 A1B160F5 5 Bytes JMP 9375933C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngNineGrid + 6F6A A1B1C79B 5 Bytes JMP 93759116 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCopyBits + B0F A1B1FF0A 5 Bytes JMP 93759284 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!STROBJ_vEnumStart + 4732 A1B27833 5 Bytes JMP 93757CDC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + E7F A1B45DE6 5 Bytes JMP 93758008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + 24C A1B4B6AE 5 Bytes JMP 93757EBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 26D9 A1B4F1E6 5 Bytes JMP 937594BE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 3765 A1B675E6 5 Bytes JMP 9375870A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLineTo + A1B A1B6D73F 5 Bytes JMP 93757F24 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLineTo + D2A3 A1B79FC7 5 Bytes JMP 93758150 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLineTo + 10D1A A1B7DA3E 5 Bytes JMP 937580AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE spsys.sys!?SPVersion@@3PADA + 1ABF 81AB303F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...] PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 81AB30AF 1 Byte [16] PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 81AB30AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...] PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 81AB3130 6 Bytes [0E, 83, 78, 14, 01, 75] PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 81AB3137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...] PAGE ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\spoolsv.exe[272] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\taskeng.exe[304] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[304] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [60, 71] .text C:\Windows\system32\taskeng.exe[304] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[304] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [63, 71] .text C:\Windows\system32\taskeng.exe[304] kernel32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\system32\taskeng.exe[304] kernel32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\system32\taskeng.exe[304] kernel32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\system32\taskeng.exe[304] kernel32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7167000A .text C:\Windows\system32\taskeng.exe[304] kernel32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 716A000A .text C:\Windows\system32\taskeng.exe[304] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\taskeng.exe[304] ADVAPI32.dll!CreateServiceW 75B89EB4 6 Bytes JMP 717F000A .text C:\Windows\system32\taskeng.exe[304] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Windows\system32\taskeng.exe[304] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Windows\system32\taskeng.exe[304] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\system32\taskeng.exe[304] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Windows\system32\taskeng.exe[304] ADVAPI32.dll!CreateServiceA 75BC72A1 6 Bytes JMP 7182000A .text C:\Windows\system32\taskeng.exe[304] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[304] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [78, 71] {JS 0x73} .text C:\Windows\system32\taskeng.exe[304] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\system32\taskeng.exe[304] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717C000A .text C:\Windows\system32\taskeng.exe[304] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7170000A .text C:\Windows\system32\taskeng.exe[304] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716D000A .text C:\Windows\system32\taskeng.exe[304] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7173000A .text C:\Windows\system32\taskeng.exe[304] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7176000A .text C:\Windows\system32\taskeng.exe[304] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\system32\taskeng.exe[304] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Windows\system32\taskeng.exe[304] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Windows\system32\svchost.exe[320] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\taskeng.exe[464] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[464] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [60, 71] .text C:\Windows\system32\taskeng.exe[464] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[464] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [63, 71] .text C:\Windows\system32\taskeng.exe[464] kernel32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\system32\taskeng.exe[464] kernel32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\system32\taskeng.exe[464] kernel32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\system32\taskeng.exe[464] kernel32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7167000A .text C:\Windows\system32\taskeng.exe[464] kernel32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 716A000A .text C:\Windows\system32\taskeng.exe[464] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\taskeng.exe[464] ADVAPI32.dll!CreateServiceW 75B89EB4 6 Bytes JMP 717F000A .text C:\Windows\system32\taskeng.exe[464] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Windows\system32\taskeng.exe[464] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Windows\system32\taskeng.exe[464] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\system32\taskeng.exe[464] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Windows\system32\taskeng.exe[464] ADVAPI32.dll!CreateServiceA 75BC72A1 6 Bytes JMP 7182000A .text C:\Windows\system32\taskeng.exe[464] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[464] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [78, 71] {JS 0x73} .text C:\Windows\system32\taskeng.exe[464] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\system32\taskeng.exe[464] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717C000A .text C:\Windows\system32\taskeng.exe[464] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7170000A .text C:\Windows\system32\taskeng.exe[464] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716D000A .text C:\Windows\system32\taskeng.exe[464] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7173000A .text C:\Windows\system32\taskeng.exe[464] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7176000A .text C:\Windows\system32\taskeng.exe[464] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\system32\taskeng.exe[464] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Windows\system32\taskeng.exe[464] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Windows\system32\taskeng.exe[464] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 715E000A .text C:\Windows\system32\csrss.exe[540] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\wininit.exe[596] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\csrss.exe[616] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [60, 71] .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [63, 71] .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] kernel32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] kernel32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] kernel32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] kernel32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7167000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] kernel32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 716A000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [78, 71] {JS 0x73} .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717C000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7170000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716D000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7173000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7176000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ADVAPI32.dll!CreateServiceW 75B89EB4 6 Bytes JMP 717F000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] ADVAPI32.dll!CreateServiceA 75BC72A1 6 Bytes JMP 7182000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!select 758F15F4 6 Bytes JMP 714F000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!closesocket 758F330C 6 Bytes JMP 715E000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!recv 758F343A 6 Bytes JMP 7144000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!ioctlsocket 758F3CE7 6 Bytes JMP 714C000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!connect 758F40D9 6 Bytes JMP 715B000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!WSASend 758F4496 6 Bytes JMP 713D000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!send 758F659B 6 Bytes JMP 7155000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!sendto 758F67C5 6 Bytes JMP 7152000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!WSAGetOverlappedResult 758F8143 6 Bytes JMP 7137000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!WSARecv 758F8400 6 Bytes JMP 7140000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] WS2_32.dll!WSAAsyncSelect 7590A17C 6 Bytes JMP 7149000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Program Files\Uniblue\MaxiDisk\mdmonitor.exe[640] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Windows\system32\services.exe[648] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\lsass.exe[660] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\lsm.exe[668] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[876] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text ... .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 002601F8 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 002603FC .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [58, 71] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!NtProtectVirtualMemory 77284BA4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!NtProtectVirtualMemory + 4 77284BA8 2 Bytes [52, 71] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!NtWriteVirtualMemory 772854E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ntdll.dll!NtWriteVirtualMemory + 4 772854E8 2 Bytes [4C, 71] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!WriteProcessMemory 75C61CB8 6 Bytes JMP 7150000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 715C000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 715F000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!VirtualProtectEx 75C8DC3A 6 Bytes JMP 7156000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 002703FC .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00270600 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00271014 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00270804 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00270A08 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00270C0C .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00270E10 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 002701F8 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00280600 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00280804 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00280A08 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 002801F8 .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [76, 71] {JBE 0x73} .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 002803FC .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717A000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 716E000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716B000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7171000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7174000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ole32.dll!CoGetClassObject 7710FAE8 6 Bytes JMP 7185000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ole32.dll!CoCreateInstance 77129F3E 6 Bytes JMP 718B000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] ole32.dll!CoCreateInstanceEx 77129F81 6 Bytes JMP 7188000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\System32\svchost.exe[1072] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001501F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001503FC .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001603FC .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00160600 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00161014 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00160804 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00160A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00160C0C .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00160E10 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001601F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00170600 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00170804 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\DRIVERS\xaudio.exe[1156] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 005201F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 005203FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 005303FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00530600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00531014 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00530804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00530A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00530C0C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00530E10 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 005301F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00550600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00550804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00550A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 005501F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1172] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 005503FC .text C:\Windows\system32\AUDIODG.EXE[1236] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1260] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1372] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1404] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text ... .text C:\Windows\system32\Dwm.exe[1728] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1728] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [47, 71] .text C:\Windows\system32\Dwm.exe[1728] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1728] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [4A, 71] .text C:\Windows\system32\Dwm.exe[1728] kernel32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\system32\Dwm.exe[1728] kernel32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\system32\Dwm.exe[1728] kernel32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\system32\Dwm.exe[1728] kernel32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 714E000A .text C:\Windows\system32\Dwm.exe[1728] kernel32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7171000A .text C:\Windows\system32\Dwm.exe[1728] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1728] ADVAPI32.dll!CreateServiceW 75B89EB4 6 Bytes JMP 7186000A .text C:\Windows\system32\Dwm.exe[1728] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Windows\system32\Dwm.exe[1728] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Windows\system32\Dwm.exe[1728] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\system32\Dwm.exe[1728] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Windows\system32\Dwm.exe[1728] ADVAPI32.dll!CreateServiceA 75BC72A1 6 Bytes JMP 7189000A .text C:\Windows\system32\Dwm.exe[1728] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Windows\system32\Dwm.exe[1728] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Windows\system32\Dwm.exe[1728] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Windows\system32\Dwm.exe[1728] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Windows\system32\Dwm.exe[1728] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1728] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Windows\system32\Dwm.exe[1728] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\system32\Dwm.exe[1728] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Windows\system32\Dwm.exe[1728] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\system32\Dwm.exe[1728] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718C000A .text C:\Windows\system32\Dwm.exe[1728] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 718F000A .text C:\Windows\Explorer.EXE[1800] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1800] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [69, 71] .text C:\Windows\Explorer.EXE[1800] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1800] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [6C, 71] .text C:\Windows\Explorer.EXE[1800] kernel32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\Explorer.EXE[1800] kernel32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\Explorer.EXE[1800] kernel32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\Explorer.EXE[1800] kernel32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7170000A .text C:\Windows\Explorer.EXE[1800] kernel32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7173000A .text C:\Windows\Explorer.EXE[1800] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\Explorer.EXE[1800] ADVAPI32.dll!CreateServiceW 75B89EB4 6 Bytes JMP 7188000A .text C:\Windows\Explorer.EXE[1800] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Windows\Explorer.EXE[1800] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Windows\Explorer.EXE[1800] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\Explorer.EXE[1800] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Windows\Explorer.EXE[1800] ADVAPI32.dll!CreateServiceA 75BC72A1 6 Bytes JMP 718B000A .text C:\Windows\Explorer.EXE[1800] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7179000A .text C:\Windows\Explorer.EXE[1800] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7176000A .text C:\Windows\Explorer.EXE[1800] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717C000A .text C:\Windows\Explorer.EXE[1800] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717F000A .text C:\Windows\Explorer.EXE[1800] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1800] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [81, 71] .text C:\Windows\Explorer.EXE[1800] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\Explorer.EXE[1800] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7185000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!select 758F15F4 6 Bytes JMP 7154000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!closesocket 758F330C 6 Bytes JMP 7163000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!recv 758F343A 6 Bytes JMP 7145000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!ioctlsocket 758F3CE7 6 Bytes JMP 7151000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!connect 758F40D9 6 Bytes JMP 7160000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!WSASend 758F4496 6 Bytes JMP 7122000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!send 758F659B 6 Bytes JMP 715A000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!sendto 758F67C5 6 Bytes JMP 7157000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!WSAGetOverlappedResult 758F8143 6 Bytes JMP 711C000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!WSARecv 758F8400 6 Bytes JMP 7125000A .text C:\Windows\Explorer.EXE[1800] WS2_32.dll!WSAAsyncSelect 7590A17C 6 Bytes JMP 714A000A .text C:\Windows\Explorer.EXE[1800] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Windows\Explorer.EXE[1800] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Windows\Explorer.EXE[1800] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 7167000A .text C:\Windows\ehome\ehmsas.exe[1952] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000501F8 .text C:\Windows\ehome\ehmsas.exe[1952] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000503FC .text C:\Windows\ehome\ehmsas.exe[1952] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehmsas.exe[1952] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [5E, 71] .text C:\Windows\ehome\ehmsas.exe[1952] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehmsas.exe[1952] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [61, 71] .text C:\Windows\ehome\ehmsas.exe[1952] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\ehome\ehmsas.exe[1952] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\ehome\ehmsas.exe[1952] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\ehome\ehmsas.exe[1952] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7165000A .text C:\Windows\ehome\ehmsas.exe[1952] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7168000A .text C:\Windows\ehome\ehmsas.exe[1952] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000603FC .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00060600 .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00061014 .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00060804 .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00060A08 .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00060C0C .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00060E10 .text C:\Windows\ehome\ehmsas.exe[1952] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000601F8 .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00070600 .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00070804 .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00070A08 .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000701F8 .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [76, 71] {JBE 0x73} .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000703FC .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\ehome\ehmsas.exe[1952] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717A000A .text C:\Windows\ehome\ehmsas.exe[1952] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 716E000A .text C:\Windows\ehome\ehmsas.exe[1952] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716B000A .text C:\Windows\ehome\ehmsas.exe[1952] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7171000A .text C:\Windows\ehome\ehmsas.exe[1952] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7174000A .text C:\Windows\ehome\ehmsas.exe[1952] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\ehome\ehmsas.exe[1952] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Windows\ehome\ehmsas.exe[1952] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1968] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001501F8 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001503FC .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [55, 71] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [58, 71] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 715C000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 715F000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00160600 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00160804 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00160A08 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [76, 71] {JBE 0x73} .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001603FC .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717A000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 716E000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716B000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7171000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7174000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001703FC .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00170600 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00171014 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00170804 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00170A08 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00170C0C .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00170E10 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001701F8 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 7153000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001601F8 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001603FC .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00170600 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00170804 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00170A08 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001701F8 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001703FC .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001803FC .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00180600 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00181014 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00180804 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00180A08 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00180C0C .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00180E10 .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2704] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001801F8 .text C:\Windows\system32\conime.exe[2720] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000501F8 .text C:\Windows\system32\conime.exe[2720] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000503FC .text C:\Windows\system32\conime.exe[2720] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conime.exe[2720] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [5E, 71] .text C:\Windows\system32\conime.exe[2720] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conime.exe[2720] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [61, 71] .text C:\Windows\system32\conime.exe[2720] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\system32\conime.exe[2720] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\system32\conime.exe[2720] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\system32\conime.exe[2720] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7165000A .text C:\Windows\system32\conime.exe[2720] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7168000A .text C:\Windows\system32\conime.exe[2720] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000603FC .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00060600 .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00061014 .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00060804 .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00060A08 .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00060C0C .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00060E10 .text C:\Windows\system32\conime.exe[2720] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000601F8 .text C:\Windows\system32\conime.exe[2720] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 716E000A .text C:\Windows\system32\conime.exe[2720] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716B000A .text C:\Windows\system32\conime.exe[2720] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7171000A .text C:\Windows\system32\conime.exe[2720] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7174000A .text C:\Windows\system32\conime.exe[2720] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00070600 .text C:\Windows\system32\conime.exe[2720] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00070804 .text C:\Windows\system32\conime.exe[2720] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00070A08 .text C:\Windows\system32\conime.exe[2720] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000701F8 .text C:\Windows\system32\conime.exe[2720] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conime.exe[2720] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [76, 71] {JBE 0x73} .text C:\Windows\system32\conime.exe[2720] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000703FC .text C:\Windows\system32\conime.exe[2720] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\system32\conime.exe[2720] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717A000A .text C:\Windows\system32\conime.exe[2720] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\system32\conime.exe[2720] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Windows\system32\conime.exe[2720] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [5D, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [60, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] kernel32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] kernel32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] kernel32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] kernel32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7164000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] kernel32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7167000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!select 758F15F4 6 Bytes JMP 7143000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!closesocket 758F330C 6 Bytes JMP 7152000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!recv 758F343A 6 Bytes JMP 712E000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!ioctlsocket 758F3CE7 6 Bytes JMP 7137000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!connect 758F40D9 6 Bytes JMP 714F000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!WSASend 758F4496 6 Bytes JMP 7124000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!send 758F659B 6 Bytes JMP 7149000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!sendto 758F67C5 6 Bytes JMP 7146000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!WSAGetOverlappedResult 758F8143 6 Bytes JMP 711E000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!WSARecv 758F8400 6 Bytes JMP 712A000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] WS2_32.dll!WSAAsyncSelect 7590A17C 6 Bytes JMP 7133000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ADVAPI32.dll!CreateServiceW 75B89EB4 6 Bytes JMP 717F000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] ADVAPI32.dll!CreateServiceA 75BC72A1 6 Bytes JMP 7182000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [78, 71] {JS 0x73} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717C000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7170000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716D000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7173000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7176000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 716A000A .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001501F8 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001503FC .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00160600 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00160804 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00160A08 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001601F8 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001603FC .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001703FC .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00170600 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00171014 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00170804 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00170A08 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00170C0C .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00170E10 .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2916] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001701F8 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[2968] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000501F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000503FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00060600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00061014 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00060804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00060A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00060C0C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00060E10 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3072] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000703FC .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001601F8 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001603FC .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001703FC .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00170600 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00171014 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00170804 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00170A08 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00170C0C .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00170E10 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001701F8 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00180600 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00180804 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00180A08 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001801F8 .text C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3088] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001803FC .text C:\Windows\system32\svchost.exe[3180] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3180] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3180] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[3180] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[3180] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[3180] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[3180] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[3180] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000C03FC .text C:\Windows\system32\taskeng.exe[3224] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[3224] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[3224] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\taskeng.exe[3224] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\taskeng.exe[3224] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 000C0600 .text C:\Windows\system32\taskeng.exe[3224] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\taskeng.exe[3224] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\taskeng.exe[3224] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\taskeng.exe[3224] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000C03FC .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Common Files\Sage SData\Sage.SData.Service.exe[3256] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[3312] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3312] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3312] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[3312] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[3312] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[3312] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[3312] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[3312] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[3312] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Windows\System32\StkASv2K.exe[3404] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001501F8 .text C:\Windows\System32\StkASv2K.exe[3404] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001503FC .text C:\Windows\System32\StkASv2K.exe[3404] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\System32\StkASv2K.exe[3404] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00160600 .text C:\Windows\System32\StkASv2K.exe[3404] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00160804 .text C:\Windows\System32\StkASv2K.exe[3404] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00160A08 .text C:\Windows\System32\StkASv2K.exe[3404] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001601F8 .text C:\Windows\System32\StkASv2K.exe[3404] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001603FC .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001703FC .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00170600 .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00171014 .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00170804 .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00170A08 .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00170C0C .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00170E10 .text C:\Windows\System32\StkASv2K.exe[3404] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001701F8 .text C:\Windows\ehome\ehtray.exe[3452] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\ehome\ehtray.exe[3452] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\ehome\ehtray.exe[3452] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehtray.exe[3452] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [67, 71] .text C:\Windows\ehome\ehtray.exe[3452] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehtray.exe[3452] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\ehome\ehtray.exe[3452] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\ehome\ehtray.exe[3452] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\ehome\ehtray.exe[3452] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\ehome\ehtray.exe[3452] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 716E000A .text C:\Windows\ehome\ehtray.exe[3452] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7171000A .text C:\Windows\ehome\ehtray.exe[3452] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Windows\ehome\ehtray.exe[3452] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\ehome\ehtray.exe[3452] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Windows\ehome\ehtray.exe[3452] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Windows\ehome\ehtray.exe[3452] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Windows\ehome\ehtray.exe[3452] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Windows\ehome\ehtray.exe[3452] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Windows\ehome\ehtray.exe[3452] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\ehome\ehtray.exe[3452] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Windows\ehome\ehtray.exe[3452] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Toshiba TEMPRO\TemproSvc.exe[3492] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001601F8 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001603FC .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00170600 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00170804 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00170A08 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001701F8 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001703FC .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001803FC .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00180600 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00181014 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00180804 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00180A08 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00180C0C .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00180E10 .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[3596] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001801F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [64, 71] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [67, 71] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 716B000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 716E000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 7171000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Windows\system32\TODDSrv.exe[3680] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001601F8 .text C:\Windows\system32\TODDSrv.exe[3680] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001603FC .text C:\Windows\system32\TODDSrv.exe[3680] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\TODDSrv.exe[3680] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00170600 .text C:\Windows\system32\TODDSrv.exe[3680] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00170804 .text C:\Windows\system32\TODDSrv.exe[3680] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00170A08 .text C:\Windows\system32\TODDSrv.exe[3680] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001701F8 .text C:\Windows\system32\TODDSrv.exe[3680] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001703FC .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001803FC .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00180600 .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00181014 .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00180804 .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00180A08 .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00180C0C .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00180E10 .text C:\Windows\system32\TODDSrv.exe[3680] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001601F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001603FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [5B, 71] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [5E, 71] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7162000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7165000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 7168000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001703FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00170600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 7191000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 718B000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 718E000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00171014 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00170804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00170A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00170C0C .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00170E10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001701F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00180600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00180804 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00180A08 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [76, 71] {JBE 0x73} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001803FC .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 717A000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 716E000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 716B000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 7171000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 7174000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 7185000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7188000A .text C:\Windows\System32\alg.exe[3728] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\System32\alg.exe[3728] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\System32\alg.exe[3728] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Windows\System32\alg.exe[3728] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Windows\System32\alg.exe[3728] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Windows\System32\alg.exe[3728] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Windows\System32\alg.exe[3728] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Windows\System32\alg.exe[3728] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Windows\System32\alg.exe[3728] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001601F8 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001603FC .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001803FC .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00180600 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00181014 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00180804 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00180A08 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00180C0C .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00180E10 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001801F8 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00190600 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00190804 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00190A08 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001901F8 .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[3736] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001903FC .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001601F8 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001603FC .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001703FC .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00170600 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00171014 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00170804 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00170A08 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00170C0C .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00170E10 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001701F8 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00180600 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00180804 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00180A08 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001801F8 .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3844] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001803FC .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 001701F8 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 001703FC .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 001803FC .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00180600 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00181014 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00180804 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00180A08 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00180C0C .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00180E10 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 001801F8 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00190600 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00190804 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00190A08 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 001901F8 .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[3904] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 001903FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3980] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\SearchIndexer.exe[4036] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[4036] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[4036] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\SearchIndexer.exe[4036] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\SearchIndexer.exe[4036] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchIndexer.exe[4036] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchIndexer.exe[4036] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchIndexer.exe[4036] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchIndexer.exe[4036] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Users\Barbara W\Desktop\Downloads\zojyiy3t.exe[4404] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\System32\notepad.exe[4764] kernel32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[5052] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00070C0C .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Windows\system32\svchost.exe[5052] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\svchost.exe[5052] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Windows\system32\svchost.exe[5080] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[5080] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[5080] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000B03FC .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 000B0600 .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 000B1014 .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 000B0804 .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 000B0A08 .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 000B0C0C .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 000B0E10 .text C:\Windows\system32\svchost.exe[5080] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000B01F8 .text C:\Windows\system32\svchost.exe[5080] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[5080] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\svchost.exe[5080] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\svchost.exe[5080] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\svchost.exe[5080] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000C03FC .text C:\Windows\notepad.exe[5348] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000701F8 .text C:\Windows\notepad.exe[5348] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000703FC .text C:\Windows\notepad.exe[5348] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5348] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [5E, 71] .text C:\Windows\notepad.exe[5348] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5348] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [61, 71] .text C:\Windows\notepad.exe[5348] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\notepad.exe[5348] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\notepad.exe[5348] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\notepad.exe[5348] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7165000A .text C:\Windows\notepad.exe[5348] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7168000A .text C:\Windows\notepad.exe[5348] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000803FC .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00080600 .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00081014 .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00080804 .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00080A08 .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00080C0C .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00080E10 .text C:\Windows\notepad.exe[5348] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000801F8 .text C:\Windows\notepad.exe[5348] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Windows\notepad.exe[5348] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Windows\notepad.exe[5348] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Windows\notepad.exe[5348] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Windows\notepad.exe[5348] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00090600 .text C:\Windows\notepad.exe[5348] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00090804 .text C:\Windows\notepad.exe[5348] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00090A08 .text C:\Windows\notepad.exe[5348] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000901F8 .text C:\Windows\notepad.exe[5348] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5348] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Windows\notepad.exe[5348] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000903FC .text C:\Windows\notepad.exe[5348] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\notepad.exe[5348] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Windows\notepad.exe[5348] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\notepad.exe[5348] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Windows\notepad.exe[5348] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Windows\notepad.exe[5348] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 715C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 5F19D180 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000703FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [64, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [67, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 716B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 716E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!HeapSetInformation + 26 75C8A8B0 7 Bytes JMP 5F1AF84B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!LockResource + C 75CA6ACB 7 Bytes JMP 5F4E6B79 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!VirtualAllocEx + 54 75CAAF50 7 Bytes JMP 5F4E6B9C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00080600 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00080804 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00080A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000801F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000803FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] GDI32.dll!SetStretchBltMode + 256 75C1745C 7 Bytes JMP 5F4E6AFA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000903FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00090600 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00091014 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00090804 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00090A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00090C0C .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00090E10 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000901F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 7171000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHCreateShellFolderView + B0FB 765E20C8 4 Bytes [71, 59, D2, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHCreateShellFolderView + B103 765E20D0 4 Bytes [7F, 58, D2, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHCreateShellFolderView + B117 765E20E4 4 Bytes [D6, 3C, D1, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHCreateShellFolderView + B11F 765E20EC 4 Bytes [44, 3D, D1, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHCreateShellFolderView + B127 765E20F4 4 Bytes [68, 3C, D1, 63] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!ILFree + 4A6 76638EE8 4 Bytes [71, 59, D2, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!ILFree + 4AE 76638EF0 8 Bytes [7F, 58, D2, 63, 10, 5A, D2, ...] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHBindToObject + 298C 76640AA8 4 Bytes [71, 59, D2, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHBindToObject + 2994 76640AB0 4 Bytes [7F, 58, D2, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] SHELL32.dll!SHBindToObject + 29A4 76640AC0 4 Bytes [01, 3E, D1, 63] .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!select 758F15F4 6 Bytes JMP 7153000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!closesocket 758F330C 6 Bytes JMP 7162000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!recv 758F343A 6 Bytes JMP 7146000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!ioctlsocket 758F3CE7 6 Bytes JMP 7150000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!connect 758F40D9 6 Bytes JMP 715F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!WSASend 758F4496 6 Bytes JMP 713F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!send 758F659B 6 Bytes JMP 7159000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!sendto 758F67C5 6 Bytes JMP 7156000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!WSAGetOverlappedResult 758F8143 6 Bytes JMP 7139000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!WSARecv 758F8400 6 Bytes JMP 7142000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] WS2_32.dll!WSAAsyncSelect 7590A17C 6 Bytes JMP 714B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5568] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Windows\notepad.exe[5880] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000701F8 .text C:\Windows\notepad.exe[5880] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000703FC .text C:\Windows\notepad.exe[5880] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5880] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [5E, 71] .text C:\Windows\notepad.exe[5880] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5880] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [61, 71] .text C:\Windows\notepad.exe[5880] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\notepad.exe[5880] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\notepad.exe[5880] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\notepad.exe[5880] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 7165000A .text C:\Windows\notepad.exe[5880] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7168000A .text C:\Windows\notepad.exe[5880] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000803FC .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00080600 .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00081014 .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00080804 .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00080A08 .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00080C0C .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00080E10 .text C:\Windows\notepad.exe[5880] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000801F8 .text C:\Windows\notepad.exe[5880] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Windows\notepad.exe[5880] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Windows\notepad.exe[5880] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Windows\notepad.exe[5880] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Windows\notepad.exe[5880] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00090600 .text C:\Windows\notepad.exe[5880] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00090804 .text C:\Windows\notepad.exe[5880] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00090A08 .text C:\Windows\notepad.exe[5880] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000901F8 .text C:\Windows\notepad.exe[5880] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5880] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Windows\notepad.exe[5880] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000903FC .text C:\Windows\notepad.exe[5880] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\notepad.exe[5880] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Windows\notepad.exe[5880] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\notepad.exe[5880] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Windows\notepad.exe[5880] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Windows\notepad.exe[5880] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 715C000A .text C:\Windows\system32\wuauclt.exe[6088] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000801F8 .text C:\Windows\system32\wuauclt.exe[6088] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000803FC .text C:\Windows\system32\wuauclt.exe[6088] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[6088] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [67, 71] .text C:\Windows\system32\wuauclt.exe[6088] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[6088] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\wuauclt.exe[6088] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Windows\system32\wuauclt.exe[6088] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Windows\system32\wuauclt.exe[6088] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Windows\system32\wuauclt.exe[6088] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 716E000A .text C:\Windows\system32\wuauclt.exe[6088] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 7171000A .text C:\Windows\system32\wuauclt.exe[6088] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[6088] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Windows\system32\wuauclt.exe[6088] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Windows\system32\wuauclt.exe[6088] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Windows\system32\wuauclt.exe[6088] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00090600 .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00090804 .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00090A08 .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000901F8 .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000903FC .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Windows\system32\wuauclt.exe[6088] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000A03FC .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 000A0600 .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 000A1014 .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 000A0804 .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 000A0A08 .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 000A0C0C .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 000A0E10 .text C:\Windows\system32\wuauclt.exe[6088] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000A01F8 .text C:\Windows\system32\wuauclt.exe[6088] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Windows\system32\wuauclt.exe[6088] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Windows\system32\wuauclt.exe[6088] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ntdll.dll!LdrLoadDll 77249378 5 Bytes JMP 000701F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ntdll.dll!LdrUnloadDll 7725B680 5 Bytes JMP 000703FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ntdll.dll!NtAcceptConnectPort 77283E84 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ntdll.dll!NtAcceptConnectPort + 4 77283E88 2 Bytes [64, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ntdll.dll!NtCreateSymbolicLinkObject 77284354 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ntdll.dll!NtCreateSymbolicLinkObject + 4 77284358 2 Bytes [67, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] KERNEL32.dll!CreateProcessW 75C61BF3 6 Bytes JMP 71A4000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] KERNEL32.dll!CreateProcessA 75C61C28 6 Bytes JMP 71A7000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] KERNEL32.dll!LoadLibraryExW + 173 75C893DF 4 Bytes JMP 71AB000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] KERNEL32.dll!LoadLibraryW 75C893F0 6 Bytes JMP 716B000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] KERNEL32.dll!LoadLibraryA 75C8956C 6 Bytes JMP 716E000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] KERNEL32.dll!GetBinaryTypeW + 70 75CB2447 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!CreateServiceW 75B89EB4 5 Bytes JMP 000803FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!DeleteService 75B8A07E 5 Bytes JMP 00080600 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!InitiateSystemShutdownW 75BC1829 6 Bytes JMP 719B000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!InitiateSystemShutdownExW 75BC18F1 6 Bytes JMP 7195000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!InitiateSystemShutdownA 75BC19C1 6 Bytes JMP 719E000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!InitiateSystemShutdownExA 75BC1A68 6 Bytes JMP 7198000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!SetServiceObjectSecurity 75BC6CD9 5 Bytes JMP 00081014 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!ChangeServiceConfigA 75BC6DD9 5 Bytes JMP 00080804 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!ChangeServiceConfigW 75BC6F81 5 Bytes JMP 00080A08 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!ChangeServiceConfig2A 75BC7099 5 Bytes JMP 00080C0C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!ChangeServiceConfig2W 75BC71E1 5 Bytes JMP 00080E10 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] ADVAPI32.dll!CreateServiceA 75BC72A1 5 Bytes JMP 000801F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] WS2_32.dll!socket 758F36D1 6 Bytes JMP 71AE000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!SetWindowsHookExA 76326322 5 Bytes JMP 00090600 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!SetWindowsHookExW 763287AD 5 Bytes JMP 00090804 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!UnhookWindowsHookEx 763298DB 5 Bytes JMP 00090A08 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!SetWinEventHook 76329F3A 5 Bytes JMP 000901F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!RegisterHotKey 7632BDA5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!RegisterHotKey + 4 7632BDA9 2 Bytes [7F, 71] {JG 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!UnhookWinEvent 7632C06F 5 Bytes JMP 000903FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!ExitWindowsEx 7636B7C3 6 Bytes JMP 71A1000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] USER32.dll!DdeClientTransaction 76382005 6 Bytes JMP 7183000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] GDI32.dll!DeleteDC 75C168CD 6 Bytes JMP 7177000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] GDI32.dll!BitBlt 75C170A6 6 Bytes JMP 7174000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] GDI32.dll!CreateDCW 75C1A91D 6 Bytes JMP 717A000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] GDI32.dll!CreateDCA 75C1AA49 6 Bytes JMP 717D000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] NETAPI32.dll!NetScheduleJobAdd 756182E0 6 Bytes JMP 7171000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] IPHLPAPI.DLL!IcmpSendEcho2Ex 751796D8 6 Bytes JMP 718E000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] IPHLPAPI.DLL!IcmpSendEcho2 75179C2D 6 Bytes JMP 7191000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[648] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 001C0002 IAT C:\Windows\system32\services.exe[648] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 001C0000 IAT C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe[1024] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 71810000 IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73327817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7336B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7332BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7331F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [733275E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7331E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [733573F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7332DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7331FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7331FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [733171CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [733ACAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7334C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7331D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73316853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7331687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1800] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73322AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\ehome\ehmsas.exe[1952] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 71810000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1968] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6F95FC70] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[2300] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 71810000 IAT C:\Windows\system32\conime.exe[2720] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 71810000 IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2784] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6F95FC70] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\ehome\ehtray.exe[3452] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 718A0000 IAT C:\Program Files\Windows Media Player\wmpnscfg.exe[3676] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 718A0000 IAT C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3704] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 71810000 IAT C:\Windows\notepad.exe[5348] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 718A0000 IAT C:\Program Files\Mozilla Firefox\firefox.exe[5568] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 718A0000 IAT C:\Windows\notepad.exe[5880] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 718A0000 IAT C:\Windows\system32\wuauclt.exe[6088] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 718A0000 IAT C:\Program Files\Mozilla Firefox\plugin-container.exe[6132] @ C:\Windows\system32\WS2_32.dll [ADVAPI32.dll!CreateServiceA] 718A0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \Driver\tdx \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\tdx \Device\RawIp6 OAmon.sys (TDI Helper Driver/Emsisoft) Device \Driver\tdx \Device\Tcp6 OAmon.sys (TDI Helper Driver/Emsisoft) Device \Driver\tdx \Device\Tdx OAmon.sys (TDI Helper Driver/Emsisoft) Device \Driver\tdx \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\tdx \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft) Device \Driver\tdx \Device\Udp6 OAmon.sys (TDI Helper Driver/Emsisoft) ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A152F192-0646-3747-6C21-BCB814D0F3A0} ---- EOF - GMER 2.1 ----