GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-19 22:21:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000079 WDC_WD32 rev.01.0 298,09GB Running: xf08r3rh.exe; Driver: C:\Users\Maciej\AppData\Local\Temp\awrdrpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800031fb000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800031fb02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b29a9d1} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1356] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001002904bc .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010038091c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100380048 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001003802ee .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001003804b2 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001003809fe .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100380ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010038012a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100380758 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100380676 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001003803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100380594 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010038083a .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010038020c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100380f52 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 0000000100390210 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 0000000100390048 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b39a9d1} .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100380ca6 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001003903d8 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 000000010039012c .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001003902f4 .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1464] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100380e6e .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010019091c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100190048 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001001902ee .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001001904b2 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001001909fe .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100190ae0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010019012a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100190758 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100190676 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001001903d0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100190594 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010019083a .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010019020c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100190f52 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 00000001001a0210 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 00000001001a0048 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b1aa9d1} .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100190ca6 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001001a03d8 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 00000001001a012c .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001001a02f4 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100190e6e .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1932] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001001a04bc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 00000001001d091c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 00000001001d0048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001001d02ee .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001001d04b2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001001d09fe .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 00000001001d0ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 00000001001d012a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 00000001001d0758 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 00000001001d0676 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001001d03d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 00000001001d0594 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 00000001001d083a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 00000001001d020c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 000000010026059e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 00000001001d0f52 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 0000000100260210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 0000000100260048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b26a9d1} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 00000001001d0ca6 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001002603d8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 000000010026012c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001002602f4 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2012] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 00000001001d0e6e .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 00000001001c091c .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 00000001001c0048 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001001c02ee .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001001c04b2 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001001c09fe .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 00000001001c0ae0 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 00000001001c012a .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 00000001001c0758 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 00000001001c0676 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001001c03d0 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 00000001001c0594 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 00000001001c083a .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 00000001001c020c .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 00000001001c0f52 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 00000001001d0210 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 00000001001d0048 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b1da9d1} .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 00000001001c0ca6 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001001d03d8 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 00000001001d012c .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001001d02f4 .text C:\Windows\AsScrPro.exe[1560] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 00000001001c0e6e .text C:\Windows\AsScrPro.exe[1560] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001001d059e .text C:\Windows\AsScrPro.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074851465 2 bytes [85, 74] .text C:\Windows\AsScrPro.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000748514bb 2 bytes [85, 74] .text ... * 2 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010029091c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100290048 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001002902ee .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001002904b2 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001002909fe .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100290ae0 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010003004c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010029012a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100290758 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100290676 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001002903d0 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100290594 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010029083a .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010029020c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001002a04bc .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100290f52 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 00000001002a0210 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 00000001002a0048 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b2aa9d1} .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100290ca6 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001002a03d8 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 00000001002a012c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001002a02f4 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2684] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100290e6e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001002904bc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b29a9d1} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[1408] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010027091c .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100270048 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001002702ee .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001002704b2 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001002709fe .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100270ae0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010025004c .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010027012a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100270758 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100270676 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001002703d0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100270594 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010027083a .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010027020c .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100270f52 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 00000001004b0210 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 00000001004b0048 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b4ba9d1} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100270ca6 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001004b03d8 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 00000001004b012c .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001004b02f4 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100270e6e .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[3060] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001004b059e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010029091c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100290048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001002902ee .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001002904b2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001002909fe .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100290ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010029012a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100290758 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100290676 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001002903d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100290594 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010029083a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010029020c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001002a04bc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100290f52 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 00000001002a0210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 00000001002a0048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b2aa9d1} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100290ca6 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001002a03d8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 00000001002a012c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001002a02f4 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[3452] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100290e6e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001003104bc .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 0000000100310210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 0000000100310048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b31a9d1} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001003103d8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 000000010031012c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001003102f4 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[3136] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 000000010029059e .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b29a9d1} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[4784] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100280e6e .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007712fc90 5 bytes JMP 000000010038091c .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007712fdf4 5 bytes JMP 0000000100380048 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007712fe88 5 bytes JMP 00000001003802ee .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007712ffe4 5 bytes JMP 00000001003804b2 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077130018 5 bytes JMP 00000001003809fe .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077130048 5 bytes JMP 0000000100380ae0 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077130064 5 bytes JMP 000000010002004c .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007713077c 5 bytes JMP 000000010038012a .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007713086c 5 bytes JMP 0000000100380758 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077130884 5 bytes JMP 0000000100380676 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077130dd4 5 bytes JMP 00000001003803d0 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077131900 5 bytes JMP 0000000100380594 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077131bc4 5 bytes JMP 000000010038083a .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077131d50 5 bytes JMP 000000010038020c .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000074ff524f 7 bytes JMP 0000000100380f52 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000074ff53d0 7 bytes JMP 0000000100390210 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000074ff5677 1 byte JMP 0000000100390048 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000074ff5679 5 bytes {JMP 0xffffffff8b39a9d1} .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000074ff589a 7 bytes JMP 0000000100380ca6 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000074ff5a1d 7 bytes JMP 00000001003903d8 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000074ff5c9b 7 bytes JMP 000000010039012c .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000074ff5d87 7 bytes JMP 00000001003902f4 .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000074ff7240 7 bytes JMP 0000000100380e6e .text C:\Users\Maciej\Desktop\xf08r3rh.exe[2176] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075931492 7 bytes JMP 00000001003904bc ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9cb70dc4fa8e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc773702cb9a Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9cb70dc4fa8e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc773702cb9a (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Maciej\AppData\Local\Opera\Opera\cache\g_007B\opr01QSQ.tmp 0 bytes ---- EOF - GMER 2.1 ----