Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Adware.SpeedingUp Virus Werbebanner Firefox

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 08.04.2015, 23:15   #1
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

Adware.SpeedingUp Virus Werbebanner Firefox



Hallo lieber Trojaner-Boarder,

das hier ist der dritte Anlauf diesen Thread zu eröffnen, wenn ich nun wieder alles umsonst tippe und kopiere wird auch meine sehr ergiebige Geduld langsam knapp.

Vorneweg, ich habe wenig bis keine Erfahrung/Ahnung mit/von logfiles und deren Auswertung, von daher bitte ich bei Hilfen/Anweisungen auf sehr detaillierte und einfach nachvillziehbare Schritte.

Mich plagt ein Virus, welches bei jedem 2. Klick ein Werbefenster in einem extra tab öffnet. Diese schließen sich nach ein paar sekunden meist wieder (vermute wegen meinem aktiven AdBlockerPlus), in der Adresszeile kann ich meist "adserv" oder "axonan" erhaschen. Gelegentlich greift auch mein Avast ein und findet Bedrohungen auf diesen Seiten, weswegen ich momentan am Pc nichts mehr im Netz mache außer hier hoffentlich Hilfe zu bekommen.
Zu Anfang habe ich die Schwere der Infektion nicht erkannt, habe lediglich begonnen mir unbekannte und neu aus dem nichts installierte Programme (war sowas wie SystemProBoost Pimp up) über die Systemsteuerung gelöscht. Die popups haben aber nicht aufgehört, im Gegenteil, sie wurden eher mehr. Firefox zurücksetzen brachte keinen Effekt. In anbrechender Verzweiflung habe ich dann einen "Reparierer" namens Reimage heruntergeladen, der nach seinem Scan bezahlt werden wollte, bevor er die Probleme löst. War echt hartnäckig und wollte sich nicht so einfach deinstallieren lassen. Immerhin hat er mir gezeigt, dass mein schädlichster Virus im System ein "Variant of Adware.SpeedingUp" sei.
Über dieses Virus gab es wohl schon einige Threads hier, deswegen hoffe ich auf sichere Abhilfe.
Hier, was die Befolgung der ersten Schritte ergeben hat:
defogger
Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 22:48 on 08/04/2015 (User)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         
frst
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by User (administrator) on USER-PC on 08-04-2015 22:50:17
Running from C:\Users\User\Downloads
Loaded Profiles: User (Available profiles: User)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Anvisoft) C:\Program Files (x86)\Anvisoft\Cloud System Booster\CSBSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
() C:\ProgramData\eazyzoom\1.1.0.30\jhrywac.exe
() C:\ProgramData\eazyzoom\1.1.0.30\jhryaac.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNotifier.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Spotify Ltd) C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(PC Utilities Software Limited) C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe
(Lenovo) C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
() C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.exe
() C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.exe
() C:\ProgramData\eazyzoom\1.1.0.30\jhrydac.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(InterVideo) C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) D:\Programme\firefox.exe
(Mozilla Corporation) D:\Programme\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
(GameRanger Technologies) C:\Users\User\AppData\Roaming\GameRanger\GameRanger\GameRanger.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
() C:\Users\User\Downloads\Defogger.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10775072 2010-04-23] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2040352 2010-04-23] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2101032 2010-05-03] (Synaptics Incorporated)
HKLM\...\Run: [SynBtnAsst] => C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe [54568 2010-05-03] (Synaptics Incorporated)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [776608 2009-12-19] (Lenovo)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4448704 2010-03-11] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [7056832 2010-03-11] (Lenovo (Beijing) Limited)
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [6868280 2012-05-21] (Logitech Inc.)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2009-11-20] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-05-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [MuteSync] => C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe [336384 2009-12-28] (Lenovo)
HKLM-x32\...\Run: [Lenovo SlideNav2] => C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe [318400 2009-12-30] (Lenovo)
HKLM-x32\...\Run: [Lenovo SplitScreen] => C:\Program Files\Lenovo\Lenovo SplitScreen\SplitScreen\AutoRunSpS.exe [778592 2010-04-01] (Lenovo)
HKLM-x32\...\Run: [UCam_Menu] => c:\Program Files (x86)\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [YouCam Mirror Tray icon] => c:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167008 2010-02-04] (CyberLink Corp.)
HKLM-x32\...\Run: [VeriFaceManager] => C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [3122528 2012-05-11] (Lenovo)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [tvncontrol] => C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2013-10-11] (Comodo Security Solutions, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-09-09] (AVAST Software)
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\Run: [Spotify Web Helper] => C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1245752 2014-09-27] (Spotify Ltd)
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\Run: [GoogleChromeAutoLaunch_BCEA24321E5E4F1401136BBEDFB545FE] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [809288 2015-03-30] (Google Inc.)
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\Run: [DriverUpdaterPro] => C:\Program Files (x86)\oTweak\DriverUpdaterPro\DriverUpdaterPro.exe /ot /as /ss
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\MountPoints2: {aa66b0b6-9b5a-11e1-bad3-18f46afcfaa0} - E:\CD_Start.exe
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [WLStart] => C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [786760 2009-07-26] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\windows\System32\SPReview\SPReview.exe [301568 2013-03-20] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start GeekBuddy.lnk
ShortcutTarget: Start GeekBuddy.lnk -> C:\Program Files (x86)\Comodo\GeekBuddy\launcher.exe (Comodo Security Solutions, Inc.)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk
ShortcutTarget: hqghumeaylnlf.lnk -> C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe (PC Utilities Software Limited)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [VeriFace Enc] -> {771C7324-DA80-49D3-8017-753B0AF60951} => C:\windows\system32\IcnOvrly.dll ()
CHR HKU\S-1-5-21-1326109875-696039885-1899394854-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:58755;https=127.0.0.1:58755
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=AV01
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = about:blank
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=AV01
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
HKU\S-1-5-21-1326109875-696039885-1899394854-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.msn.com/?pc=AV01
URLSearchHook: HKLM-x32 - (No Name) - {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - No File
URLSearchHook: HKU\S-1-5-21-1326109875-696039885-1899394854-1000 - (No Name) - {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - No File
SearchScopes: HKLM-x32 -> DefaultScope {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-1326109875-696039885-1899394854-1000 -> DefaultScope {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-1326109875-696039885-1899394854-1000 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://search.conduit.com/Results.aspx?ctid=CT3315513&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPDE6A0F4E-9DE7-4DCD-80F8-063D44DE57A8&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-1326109875-696039885-1899394854-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1326109875-696039885-1899394854-1000 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2014-09-08] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: No Name -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} ->  No File
BHO-x32: No Name -> {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} ->  No File
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06] (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-03-02] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2014-09-08] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-10-21] (Microsoft Corporation.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-03-02] (Oracle Corporation)
BHO-x32: No Name -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} ->  No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM-x32 - No Name - {0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} -  No File
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-10-21] (Microsoft Corporation.)
Toolbar: HKU\S-1-5-21-1326109875-696039885-1899394854-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\rfo4snbm.default-1428334381312
FF DefaultSearchUrl: https://www.google.com/search
FF SearchEngineOrder.1: Google
FF SelectedSearchEngine: Google
FF Homepage: about:home
FF Keyword.URL: https://www.google.com/search
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-04] ()
FF Plugin: @microsoft.com/GENUINE -> C:\windows\system32\Wat\npWatWeb.dll [2012-06-10] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-04] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-10-01] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.4.0 -> C:\windows\SysWOW64\npDeployJava1.dll [2012-05-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-03-02] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\windows\system32\Wat\npWatWeb.dll [2012-06-10] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-06-06] (Adobe Systems Inc.)
FF Extension: EazyZoom - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\rfo4snbm.default-1428334381312\Extensions\ka@thsic.com [2015-04-08]
FF Extension: WEB.DE MailCheck - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\rfo4snbm.default-1428334381312\Extensions\toolbar@web.de [2015-04-07]
FF Extension: Adblock Plus - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\rfo4snbm.default-1428334381312\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-04-07]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-05-28]
FF HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\Firefox\Extensions: [{B64D9B05-48E1-4CEB-BF58-E0643994E900}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff
FF Extension: Download videos and MP3s from YouTube - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff [2014-11-20]
StartMenuInternet: FIREFOX.EXE - D:\Programme\firefox.exe

Chrome: 
=======
CHR HomePage: Default -> 
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchKeyword: Default -> google.de_
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Avast Online Security) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-09-08]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-05]
CHR Extension: (Google Wallet) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-20]
CHR Extension: (Quick start) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelmeidfhdlhlbjimpabfcbnnojbboma [2014-08-22]
CHR HKU\S-1-5-21-1326109875-696039885-1899394854-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bhphemoobgnikcoofkgackkaimpfmenm] - C:\Users\User\AppData\Local\CRE\bhphemoobgnikcoofkgackkaimpfmenm.crx [2012-07-05]
CHR HKLM-x32\...\Chrome\Extension: [bhphemoobgnikcoofkgackkaimpfmenm] - C:\Users\User\AppData\Local\CRE\bhphemoobgnikcoofkgackkaimpfmenm.crx [2012-07-05]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-09-08]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

Locked "isazpav" service could not be unlocked. <===== ATTENTION
Locked "jimshle" service could not be unlocked. <===== ATTENTION
Locked "tammgF119" service could not be unlocked. <===== ATTENTION
Locked "tammgR119" service could not be unlocked. <===== ATTENTION

R2 AnviCsbSvc; C:\Program Files (x86)\Anvisoft\Cloud System Booster\CSBSvc.exe [42680 2014-08-20] (Anvisoft)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-09-08] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [106488 2014-09-08] (AVAST Software)
R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [873248 2010-01-12] (Broadcom Corporation.)
S4 CLPSLauncher; C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [70352 2013-10-11] (Comodo Security Solutions, Inc.)
R2 DragonUpdater; C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2370240 2014-11-27] (Comodo Security Solutions, Inc.)
R2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2013-10-11] (Comodo Security Solutions, Inc.)
S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-15] (Lenovo Group Limited)
S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [575304 2009-11-17] (Lenovo Group Limited)
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-16] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-15] (Lenovo Group Limited)
R2 Slidebar Notifier Service; C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNotifier.exe [69568 2009-12-30] (Lenovo)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-09-08] ()
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28184 2014-09-08] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-09-08] (AVAST Software)
R0 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [448400 2014-09-08] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-09-08] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-09-08] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-11-22] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-09-09] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-09-08] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-09-08] ()
R3 ATIAVPCI; C:\Windows\System32\DRIVERS\atinavrr.sys [1383680 2009-07-16] (ATI Technologies Inc.)
S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-16] (Lenovo)
S1 CFRMD; C:\Windows\SysWOW64\DRIVERS\CFRMD.sys [37976 2012-09-03] (Windows (R) Win 7 DDK provider) [File not signed]
R3 JmUsbCcgp; C:\Windows\System32\DRIVERS\jmccgp.sys [17904 2010-02-05] (JMicron Technology Corp.)
R3 JmUsbVideo; C:\Windows\System32\Drivers\jmcam.sys [56688 2010-02-05] (JMicron Technology Corp.)
R3 JmUsbVideo2; C:\Windows\System32\Drivers\jmcam_lo.sys [31088 2010-02-05] (JMicron Technology Corp.)
R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [66328 2012-02-07] (Logitech Inc.)
S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl64.sys [22528 2011-08-02] (Apple Inc.) [File not signed]
R5 tammgF119; C:\Windows\System32\Drivers\tammgF119.sys [26760 2015-04-06] () [File not signed]
R5 tammgR119; C:\Windows\System32\Drivers\tammgR119.sys [26248 2015-04-06] () [File not signed]
R3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)
U3 BcmSqlStartupSvc; No ImagePath
R3 cpuz134; \??\C:\Users\User\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 EagleX64; \??\C:\windows\system32\drivers\EagleX64.sys [X]
U2 RichVideo; No ImagePath
U3 SQLWriter; No ImagePath
S3 uxddrv; \??\E:\DIAGNOSE\WSTGER64\2PART\uxddrv64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-08 22:50 - 2015-04-08 22:50 - 00025988 _____ () C:\Users\User\Downloads\FRST.txt
2015-04-08 22:50 - 2015-04-08 22:50 - 00000000 ____D () C:\FRST
2015-04-08 22:49 - 2015-04-08 22:49 - 02095616 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2015-04-08 22:48 - 2015-04-08 22:48 - 00000470 _____ () C:\Users\User\Downloads\defogger_disable.log
2015-04-08 22:48 - 2015-04-08 22:48 - 00000000 _____ () C:\Users\User\defogger_reenable
2015-04-08 22:47 - 2015-04-08 22:47 - 00050477 _____ () C:\Users\User\Downloads\Defogger.exe
2015-04-08 22:16 - 2015-04-08 22:39 - 00000000 ____D () C:\Program Files\Reimage
2015-04-08 22:14 - 2015-04-08 22:18 - 00000158 _____ () C:\windows\Reimage.ini
2015-04-08 22:14 - 2015-04-08 22:14 - 00768512 _____ (Reimage®) C:\Users\User\Downloads\ReimageRepair.exe
2015-04-08 14:52 - 2015-04-08 14:52 - 00003202 _____ () C:\windows\System32\Tasks\avastBCLRestartS-1-5-21-1326109875-696039885-1899394854-1000
2015-04-07 16:20 - 2015-04-07 16:20 - 02876419 _____ () C:\windows\shost.bin
2015-04-06 17:33 - 2015-04-06 17:33 - 00000000 ____D () C:\Users\User\Desktop\Alte Firefox-Daten
2015-04-06 17:02 - 2015-04-06 17:02 - 00011076 _____ () C:\Users\User\Downloads\7C54E162B7FD6F2397B5500A18A326FF76ABD07B.torrent
2015-04-06 16:30 - 2015-04-06 16:31 - 00000000 ____D () C:\Users\User\AppData\Roaming\Opera Software
2015-04-06 16:30 - 2015-04-06 16:31 - 00000000 ____D () C:\Users\User\AppData\Local\Opera Software
2015-04-06 16:25 - 2015-04-06 16:31 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-04-06 16:23 - 2015-04-06 16:25 - 00000000 ____D () C:\Users\User\AppData\Roaming\00000000-1428330225-0000-0000-000000000000
2015-04-06 16:20 - 2015-04-06 16:20 - 00026760 _____ () C:\windows\system32\Drivers\tammgF119.sys
2015-04-06 16:20 - 2015-04-06 16:20 - 00026248 _____ () C:\windows\system32\Drivers\tammgR119.sys
2015-04-06 16:20 - 2015-04-06 16:20 - 00000000 ____D () C:\ProgramData\eazyzoom
2015-04-06 16:16 - 2015-04-06 16:16 - 01537552 _____ (Dummy, Ltd.) C:\Users\User\Downloads\warhammer chaos army book_10924_i50052832_il345.exe
2015-04-04 13:15 - 2015-04-04 13:16 - 00000000 ___SD () C:\windows\system32\GWX
2015-04-04 13:15 - 2015-04-04 13:15 - 00000000 ___SD () C:\windows\SysWOW64\GWX
2015-04-03 12:41 - 2015-04-07 10:36 - 00001996 _____ () C:\windows\PFRO.log
2015-04-02 21:07 - 2015-04-02 21:07 - 00034128 _____ () C:\Users\User\AppData\Local\recently-used.xbel
2015-04-02 20:13 - 2015-04-02 20:13 - 00000000 ____D () C:\ProgramData\482632dc000026a9
2015-04-02 20:11 - 2015-04-02 20:11 - 00000000 ____D () C:\Users\User\Documents\Optimizer Pro
2015-04-02 20:10 - 2015-04-02 20:10 - 00000000 ____D () C:\Users\User\AppData\Roaming\dlg
2015-04-02 20:05 - 2015-04-08 21:52 - 00000000 ____D () C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}
2015-04-02 20:05 - 2015-04-02 21:20 - 00000000 ____D () C:\Users\User\AppData\Roaming\Steganos VPN
2015-04-02 20:04 - 2015-04-02 21:22 - 00000000 ____D () C:\Users\User\AppData\Roaming\Steganos
2015-04-02 20:04 - 2015-04-02 21:22 - 00000000 ____D () C:\Program Files (x86)\OkayFreedom
2015-04-02 20:03 - 2015-04-02 20:03 - 00000000 ____D () C:\Program Files (x86)\WEB.DE MailCheck
2015-03-31 17:16 - 2015-03-31 17:25 - 146348556 _____ () C:\Users\User\Downloads\Cult Classic Records - Cult Classic Records Present- Friends and Family.zip
2015-03-30 16:05 - 2015-03-30 16:08 - 00000000 ____D () C:\Users\User\Desktop\ebay
2015-03-26 14:43 - 2015-04-08 21:49 - 00002029 _____ () C:\windows\setupact.log
2015-03-26 14:43 - 2015-03-26 14:43 - 00000000 _____ () C:\windows\setuperr.log
2015-03-18 21:50 - 2015-03-18 23:32 - 00016384 _____ () C:\Users\User\Desktop\PrinceKoala.mp4.sfk
2015-03-12 12:59 - 2015-02-20 06:41 - 00041984 _____ (Microsoft Corporation) C:\windows\system32\lpk.dll
2015-03-12 12:59 - 2015-02-20 06:40 - 00100864 _____ (Microsoft Corporation) C:\windows\system32\fontsub.dll
2015-03-12 12:59 - 2015-02-20 06:40 - 00046080 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2015-03-12 12:59 - 2015-02-20 06:40 - 00014336 _____ (Microsoft Corporation) C:\windows\system32\dciman32.dll
2015-03-12 12:59 - 2015-02-20 06:13 - 00070656 _____ (Microsoft Corporation) C:\windows\SysWOW64\fontsub.dll
2015-03-12 12:59 - 2015-02-20 06:13 - 00034304 _____ (Adobe Systems) C:\windows\SysWOW64\atmlib.dll
2015-03-12 12:59 - 2015-02-20 06:13 - 00010240 _____ (Microsoft Corporation) C:\windows\SysWOW64\dciman32.dll
2015-03-12 12:59 - 2015-02-20 06:12 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\lpk.dll
2015-03-12 12:59 - 2015-02-20 05:29 - 00372224 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2015-03-12 12:59 - 2015-02-20 05:09 - 00299008 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\atmfd.dll
2015-03-11 18:29 - 2015-03-11 18:33 - 132569976 _____ () C:\Users\User\Downloads\WHTW.zip
2015-03-11 16:41 - 2015-02-03 05:31 - 14632960 _____ (Microsoft Corporation) C:\windows\system32\wmp.dll
2015-03-11 16:41 - 2015-02-03 05:31 - 00782848 _____ (Microsoft Corporation) C:\windows\system32\wmdrmsdk.dll
2015-03-11 16:41 - 2015-02-03 05:30 - 01202176 _____ (Microsoft Corporation) C:\windows\system32\drmv2clt.dll
2015-03-11 16:41 - 2015-02-03 05:30 - 00842240 _____ (Microsoft Corporation) C:\windows\system32\blackbox.dll
2015-03-11 16:41 - 2015-02-03 05:12 - 00988160 _____ (Microsoft Corporation) C:\windows\SysWOW64\drmv2clt.dll
2015-03-11 16:41 - 2015-02-03 05:12 - 00744960 _____ (Microsoft Corporation) C:\windows\SysWOW64\blackbox.dll
2015-03-11 16:40 - 2015-02-03 05:34 - 05554104 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-03-11 16:40 - 2015-02-03 05:34 - 00693176 _____ (Microsoft Corporation) C:\windows\system32\winload.efi
2015-03-11 16:40 - 2015-02-03 05:34 - 00094656 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mountmgr.sys
2015-03-11 16:40 - 2015-02-03 05:33 - 00616360 _____ (Microsoft Corporation) C:\windows\system32\winresume.efi
2015-03-11 16:40 - 2015-02-03 05:31 - 04121600 _____ (Microsoft Corporation) C:\windows\system32\mf.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 01574400 _____ (Microsoft Corporation) C:\windows\system32\quartz.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00641024 _____ (Microsoft Corporation) C:\windows\system32\msscp.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00500224 _____ (Microsoft Corporation) C:\windows\system32\AUDIOKSE.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00432128 _____ (Microsoft Corporation) C:\windows\system32\mfplat.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00371712 _____ (Microsoft Corporation) C:\windows\system32\qdvd.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00325632 _____ (Microsoft Corporation) C:\windows\system32\msnetobj.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00229376 _____ (Microsoft Corporation) C:\windows\system32\wintrust.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00206848 _____ (Microsoft Corporation) C:\windows\system32\mfps.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00188416 _____ (Microsoft Corporation) C:\windows\system32\pcasvc.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00063488 _____ (Microsoft Corporation) C:\windows\system32\setbcdlocale.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00037376 _____ (Microsoft Corporation) C:\windows\system32\pcadm.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00011264 _____ (Microsoft Corporation) C:\windows\system32\msmmsp.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00009728 _____ (Microsoft Corporation) C:\windows\system32\spwmp.dll
2015-03-11 16:40 - 2015-02-03 05:31 - 00005120 _____ (Microsoft Corporation) C:\windows\system32\msdxm.ocx
2015-03-11 16:40 - 2015-02-03 05:31 - 00005120 _____ (Microsoft Corporation) C:\windows\system32\dxmasf.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 12625920 _____ (Microsoft Corporation) C:\windows\system32\wmploc.DLL
2015-03-11 16:40 - 2015-02-03 05:30 - 01480192 _____ (Microsoft Corporation) C:\windows\system32\crypt32.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 01069056 _____ (Microsoft Corporation) C:\windows\system32\cryptui.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00680960 _____ (Microsoft Corporation) C:\windows\system32\audiosrv.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00631808 _____ (Microsoft Corporation) C:\windows\system32\evr.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00497664 _____ (Microsoft Corporation) C:\windows\system32\drmmgrtn.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00440832 _____ (Microsoft Corporation) C:\windows\system32\AudioEng.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00296448 _____ (Microsoft Corporation) C:\windows\system32\AudioSes.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00284672 _____ (Microsoft Corporation) C:\windows\system32\EncDump.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00187904 _____ (Microsoft Corporation) C:\windows\system32\cryptsvc.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00146944 _____ (Microsoft Corporation) C:\windows\system32\appidpolicyconverter.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00140288 _____ (Microsoft Corporation) C:\windows\system32\cryptnet.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00126464 _____ (Microsoft Corporation) C:\windows\system32\audiodg.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00082432 _____ (Microsoft Corporation) C:\windows\system32\cryptsp.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00058880 _____ (Microsoft Corporation) C:\windows\system32\appidapi.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00055808 _____ (Microsoft Corporation) C:\windows\system32\rrinstaller.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00032256 _____ (Microsoft Corporation) C:\windows\system32\appidsvc.dll
2015-03-11 16:40 - 2015-02-03 05:30 - 00024576 _____ (Microsoft Corporation) C:\windows\system32\mfpmp.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00017920 _____ (Microsoft Corporation) C:\windows\system32\appidcertstorecheck.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00011264 _____ (Microsoft Corporation) C:\windows\system32\pcawrk.exe
2015-03-11 16:40 - 2015-02-03 05:30 - 00009728 _____ (Microsoft Corporation) C:\windows\system32\pcalua.exe
2015-03-11 16:40 - 2015-02-03 05:29 - 00008704 _____ (Microsoft Corporation) C:\windows\system32\pcaevts.dll
2015-03-11 16:40 - 2015-02-03 05:28 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2015-03-11 16:40 - 2015-02-03 05:28 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\mferror.dll
2015-03-11 16:40 - 2015-02-03 05:19 - 00663552 _____ (Microsoft Corporation) C:\windows\system32\Drivers\PEAuth.sys
2015-03-11 16:40 - 2015-02-03 05:16 - 03973048 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-03-11 16:40 - 2015-02-03 05:16 - 03917760 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-03-11 16:40 - 2015-02-03 05:12 - 11411968 _____ (Microsoft Corporation) C:\windows\SysWOW64\wmp.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 03209728 _____ (Microsoft Corporation) C:\windows\SysWOW64\mf.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 01329664 _____ (Microsoft Corporation) C:\windows\SysWOW64\quartz.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 01174528 _____ (Microsoft Corporation) C:\windows\SysWOW64\crypt32.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 01005056 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptui.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00617984 _____ (Microsoft Corporation) C:\windows\SysWOW64\wmdrmsdk.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00519680 _____ (Microsoft Corporation) C:\windows\SysWOW64\qdvd.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00504320 _____ (Microsoft Corporation) C:\windows\SysWOW64\msscp.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00489984 _____ (Microsoft Corporation) C:\windows\SysWOW64\evr.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00442880 _____ (Microsoft Corporation) C:\windows\SysWOW64\AUDIOKSE.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00406016 _____ (Microsoft Corporation) C:\windows\SysWOW64\drmmgrtn.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00374784 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioEng.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00354816 _____ (Microsoft Corporation) C:\windows\SysWOW64\mfplat.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00265216 _____ (Microsoft Corporation) C:\windows\SysWOW64\msnetobj.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00195584 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioSes.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00179200 _____ (Microsoft Corporation) C:\windows\SysWOW64\wintrust.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00143872 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptsvc.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00103936 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptnet.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00103424 _____ (Microsoft Corporation) C:\windows\SysWOW64\mfps.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00081408 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptsp.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00050688 _____ (Microsoft Corporation) C:\windows\SysWOW64\appidapi.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00008192 _____ (Microsoft Corporation) C:\windows\SysWOW64\spwmp.dll
2015-03-11 16:40 - 2015-02-03 05:12 - 00004096 _____ (Microsoft Corporation) C:\windows\SysWOW64\msdxm.ocx
2015-03-11 16:40 - 2015-02-03 05:12 - 00004096 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxmasf.dll
2015-03-11 16:40 - 2015-02-03 05:11 - 12625408 _____ (Microsoft Corporation) C:\windows\SysWOW64\wmploc.DLL
2015-03-11 16:40 - 2015-02-03 05:11 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\rrinstaller.exe
2015-03-11 16:40 - 2015-02-03 05:11 - 00023040 _____ (Microsoft Corporation) C:\windows\SysWOW64\mfpmp.exe
2015-03-11 16:40 - 2015-02-03 05:09 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\mferror.dll
2015-03-11 16:40 - 2015-02-03 05:08 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2015-03-11 16:40 - 2015-02-03 04:32 - 00061440 _____ (Microsoft Corporation) C:\windows\system32\Drivers\appid.sys
2015-03-11 16:40 - 2014-11-01 00:24 - 00619056 _____ (Microsoft Corporation) C:\windows\system32\winload.exe
2015-03-11 16:40 - 2014-06-28 02:21 - 00532176 _____ (Microsoft Corporation) C:\windows\system32\winresume.exe
2015-03-11 16:40 - 2014-06-28 02:21 - 00457400 _____ (Microsoft Corporation) C:\windows\system32\ci.dll
2015-03-11 16:39 - 2015-03-06 07:56 - 00155576 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2015-03-11 16:39 - 2015-03-06 07:56 - 00095680 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2015-03-11 16:39 - 2015-03-06 07:42 - 01461760 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00341504 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00314880 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00309760 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00136192 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00029184 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2015-03-11 16:39 - 2015-03-06 07:42 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2015-03-11 16:39 - 2015-03-06 07:41 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2015-03-11 16:39 - 2015-03-06 07:41 - 00031232 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2015-03-11 16:39 - 2015-03-06 07:39 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2015-03-11 16:39 - 2015-03-06 07:38 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2015-03-11 16:39 - 2015-03-06 07:36 - 00686080 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00259584 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00221184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2015-03-11 16:39 - 2015-03-06 07:10 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2015-03-11 16:39 - 2015-03-06 07:09 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2015-03-11 16:39 - 2015-03-06 07:09 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2015-03-11 16:39 - 2015-03-06 07:07 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2015-03-11 16:39 - 2015-03-06 07:07 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2015-03-11 16:39 - 2015-03-06 07:06 - 00686080 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2015-03-11 16:39 - 2015-02-26 05:25 - 03204096 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2015-03-11 16:39 - 2015-02-24 05:15 - 00389800 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-03-11 16:39 - 2015-02-24 04:32 - 00342696 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-03-11 16:39 - 2015-02-21 03:16 - 25021440 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-03-11 16:39 - 2015-02-21 02:41 - 12827648 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-03-11 16:39 - 2015-02-21 02:27 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2015-03-11 16:39 - 2015-02-21 02:27 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2015-03-11 16:39 - 2015-02-21 02:25 - 19720192 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-03-11 16:39 - 2015-02-21 01:58 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2015-03-11 16:39 - 2015-02-21 01:32 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2015-03-11 16:39 - 2015-02-20 05:06 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2015-03-11 16:39 - 2015-02-20 05:05 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2015-03-11 16:39 - 2015-02-20 04:50 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2015-03-11 16:39 - 2015-02-20 04:49 - 00584192 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-03-11 16:39 - 2015-02-20 04:49 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2015-03-11 16:39 - 2015-02-20 04:48 - 02886144 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-03-11 16:39 - 2015-02-20 04:47 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2015-03-11 16:39 - 2015-02-20 04:41 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2015-03-11 16:39 - 2015-02-20 04:40 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2015-03-11 16:39 - 2015-02-20 04:36 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2015-03-11 16:39 - 2015-02-20 04:35 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2015-03-11 16:39 - 2015-02-20 04:35 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2015-03-11 16:39 - 2015-02-20 04:34 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2015-03-11 16:39 - 2015-02-20 04:32 - 06035456 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-03-11 16:39 - 2015-02-20 04:26 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2015-03-11 16:39 - 2015-02-20 04:22 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2015-03-11 16:39 - 2015-02-20 04:22 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2015-03-11 16:39 - 2015-02-20 04:13 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2015-03-11 16:39 - 2015-02-20 04:09 - 00503296 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-03-11 16:39 - 2015-02-20 04:08 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2015-03-11 16:39 - 2015-02-20 04:08 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2015-03-11 16:39 - 2015-02-20 04:08 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2015-03-11 16:39 - 2015-02-20 04:06 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2015-03-11 16:39 - 2015-02-20 04:05 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2015-03-11 16:39 - 2015-02-20 04:03 - 02278400 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-03-11 16:39 - 2015-02-20 04:01 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2015-03-11 16:39 - 2015-02-20 04:00 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2015-03-11 16:39 - 2015-02-20 03:58 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2015-03-11 16:39 - 2015-02-20 03:56 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2015-03-11 16:39 - 2015-02-20 03:56 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2015-03-11 16:39 - 2015-02-20 03:49 - 00801280 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-03-11 16:39 - 2015-02-20 03:49 - 00718848 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-03-11 16:39 - 2015-02-20 03:47 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2015-03-11 16:39 - 2015-02-20 03:46 - 02125824 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-03-11 16:39 - 2015-02-20 03:43 - 14398976 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-03-11 16:39 - 2015-02-20 03:41 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-03-11 16:39 - 2015-02-20 03:37 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2015-03-11 16:39 - 2015-02-20 03:30 - 04300288 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-03-11 16:39 - 2015-02-20 03:28 - 02358784 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-03-11 16:39 - 2015-02-20 03:24 - 02052608 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-03-11 16:39 - 2015-02-20 03:24 - 00689152 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-03-11 16:39 - 2015-02-20 03:23 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2015-03-11 16:39 - 2015-02-20 03:16 - 01548288 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-03-11 16:39 - 2015-02-20 03:03 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-03-11 16:39 - 2015-02-20 03:01 - 01888256 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-03-11 16:39 - 2015-02-20 02:57 - 01311232 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-03-11 16:39 - 2015-02-20 02:55 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-03-11 16:39 - 2015-02-13 07:26 - 12875264 _____ (Microsoft Corporation) C:\windows\SysWOW64\shell32.dll
2015-03-11 16:39 - 2015-02-13 07:22 - 14177280 _____ (Microsoft Corporation) C:\windows\system32\shell32.dll
2015-03-11 16:39 - 2015-02-04 05:16 - 00465920 _____ (Microsoft Corporation) C:\windows\system32\WMPhoto.dll
2015-03-11 16:39 - 2015-02-04 04:54 - 00417792 _____ (Microsoft Corporation) C:\windows\SysWOW64\WMPhoto.dll
2015-03-11 16:39 - 2015-02-03 05:31 - 01424896 _____ (Microsoft Corporation) C:\windows\system32\WindowsCodecs.dll
2015-03-11 16:39 - 2015-02-03 05:31 - 00215552 _____ (Microsoft Corporation) C:\windows\system32\ubpm.dll
2015-03-11 16:39 - 2015-02-03 05:12 - 01230848 _____ (Microsoft Corporation) C:\windows\SysWOW64\WindowsCodecs.dll
2015-03-11 16:39 - 2015-02-03 05:12 - 00171520 _____ (Microsoft Corporation) C:\windows\SysWOW64\ubpm.dll
2015-03-11 16:39 - 2015-01-31 01:56 - 00459336 _____ (Microsoft Corporation) C:\windows\system32\Drivers\cng.sys
2015-03-11 16:39 - 2015-01-17 04:48 - 01067520 _____ (Microsoft Corporation) C:\windows\system32\msctf.dll
2015-03-11 16:39 - 2015-01-17 04:30 - 00828928 _____ (Microsoft Corporation) C:\windows\SysWOW64\msctf.dll
2015-03-10 23:04 - 2015-03-10 23:04 - 02364621 _____ () C:\Users\User\Desktop\taowlogobase.xcf
2015-03-10 12:58 - 2015-03-10 13:33 - 00000000 ____D () C:\Users\User\Desktop\maxworx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-08 22:48 - 2013-06-17 20:53 - 00001110 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-08 22:43 - 2012-05-15 15:28 - 00000000 ____D () C:\Users\User\AppData\Local\Google
2015-04-08 22:40 - 2012-08-15 21:01 - 00000000 ____D () C:\Users\User\AppData\Roaming\Mozilla
2015-04-08 22:28 - 2012-07-04 00:41 - 00004182 _____ () C:\windows\System32\Tasks\avast! Emergency Update
2015-04-08 22:09 - 2012-05-28 03:13 - 00000884 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-04-08 22:04 - 2012-05-28 03:13 - 00003822 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2015-04-08 22:03 - 2012-05-28 03:13 - 00778928 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-04-08 22:03 - 2012-05-16 17:56 - 00142512 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-08 21:58 - 2012-05-11 10:27 - 01094898 _____ () C:\windows\WindowsUpdate.log
2015-04-08 21:56 - 2009-07-14 06:45 - 00027088 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-08 21:56 - 2009-07-14 06:45 - 00027088 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-08 21:52 - 2012-05-11 11:14 - 00000000 ____D () C:\ProgramData\VeriFace
2015-04-08 21:51 - 2013-06-17 20:53 - 00001106 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-08 21:50 - 2012-05-11 11:20 - 09637823 _____ () C:\FaceProv.log
2015-04-08 21:50 - 2009-07-14 07:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-04-07 19:15 - 2012-05-15 15:57 - 00000000 ____D () C:\Users\User\AppData\Roaming\Skype
2015-04-06 17:11 - 2012-10-03 12:16 - 00000000 ____D () C:\Users\User\AppData\Roaming\uTorrent
2015-04-06 17:02 - 2012-05-27 11:06 - 00000000 ____D () C:\Users\User\Desktop\Games
2015-04-06 17:01 - 2012-05-15 15:28 - 00000000 ____D () C:\Users\User\AppData\Local\Deployment
2015-04-06 16:31 - 2012-05-11 12:33 - 00001421 _____ () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-04-06 16:06 - 2012-12-24 12:06 - 00000000 ____D () C:\Users\User\Documents\My Games
2015-04-06 14:26 - 2012-05-11 18:11 - 00699682 _____ () C:\windows\system32\perfh007.dat
2015-04-06 14:26 - 2012-05-11 18:11 - 00149790 _____ () C:\windows\system32\perfc007.dat
2015-04-06 14:26 - 2009-07-14 07:13 - 01620684 _____ () C:\windows\system32\PerfStringBackup.INI
2015-04-05 13:05 - 2012-05-15 15:53 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-04-03 12:42 - 2009-07-14 06:45 - 00293528 _____ () C:\windows\system32\FNTCACHE.DAT
2015-04-03 01:52 - 2012-05-11 12:33 - 00068376 _____ () C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2015-04-02 21:20 - 2015-03-03 00:49 - 00000000 ____D () C:\Users\User\Desktop\GiMP stuff
2015-04-02 21:07 - 2013-11-30 19:25 - 00000000 ____D () C:\Users\User\AppData\Local\gtk-2.0
2015-04-02 21:07 - 2013-11-30 19:16 - 00000000 ____D () C:\Users\User\.gimp-2.8
2015-04-02 19:50 - 2013-12-20 20:57 - 00002210 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-23 17:12 - 2012-06-07 18:21 - 00000000 ____D () C:\Users\User\AppData\Roaming\Spotify
2015-03-23 16:44 - 2012-06-07 18:21 - 00000000 ____D () C:\Users\User\AppData\Local\Spotify
2015-03-20 16:13 - 2009-07-14 07:08 - 00032640 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2015-03-18 21:49 - 2012-12-24 22:57 - 00000000 ____D () C:\Users\User\Documents\Vegas Movie Studio HD Platinum 11.0 Projekte
2015-03-18 13:30 - 2013-05-19 18:18 - 00000000 ____D () C:\Users\User\Desktop\alles
2015-03-14 02:46 - 2012-09-26 19:01 - 00000000 ____D () C:\Users\User\AppData\Roaming\TS3Client
2015-03-12 22:46 - 2009-07-14 05:20 - 00000000 ____D () C:\windows\rescache
2015-03-12 12:44 - 2009-07-14 05:20 - 00000000 ____D () C:\windows\SysWOW64\Dism
2015-03-12 12:44 - 2009-07-14 05:20 - 00000000 ____D () C:\windows\system32\Dism

==================== Files in the root of some directories =======

2013-03-30 17:25 - 2012-10-23 11:59 - 0060816 _____ () C:\Program Files (x86)\EULA.eng
2015-04-02 21:07 - 2015-04-02 21:07 - 0034128 _____ () C:\Users\User\AppData\Local\recently-used.xbel
2012-06-10 10:05 - 2013-10-28 22:22 - 0007595 _____ () C:\Users\User\AppData\Local\Resmon.ResmonCfg

Some content of TEMP:
====================
C:\Users\User\AppData\Local\Temp\optprosetup.exe
C:\Users\User\AppData\Local\Temp\ReimagePackage.exe
C:\Users\User\AppData\Local\Temp\ReiSysUpdate.exe
C:\Users\User\AppData\Local\Temp\somoto_A Charming Font_1.0.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-04 12:42

==================== End Of Log ============================
         

Alt 08.04.2015, 23:27   #2
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

wegen Überlänge aufgeteilt



Außerdem: die Infektion, die Avast meist auf solchen Tabs blockiert, heißt: HTML:RedirME-inf [Trj]

Die Datei im Anhang tut mir Leid, aber ich bin ratlos, wie ich die anderen dateien hier reinbringen soll. Direkt kopiert geht nicht, da ich damit das 6fache der maximal erlaubten Zeichen hätte, und zum hochladen ist die Datei ebenfalls um das 5fache zu groß (Die Datei, von der ich rede, ist das Ergebnis von gmer).

edit: Hier der link zum mediafire upload der GMER txt datei: hxxp://www.mediafire.com/view/11ibihqco6izv8k/gmer.txt
__________________


Alt 09.04.2015, 05:09   #3
schrauber
/// the machine
/// TB-Ausbilder
 

Adware.SpeedingUp Virus Werbebanner Firefox - Standard

Adware.SpeedingUp Virus Werbebanner Firefox



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________
__________________

Alt 09.04.2015, 12:40   #4
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

Addition.txt



FRST Additions Logfile:
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by User at 2015-04-08 22:51:10
Running from C:\Users\User\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Disabled - Out of date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Out of date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM-x32\...\uTorrent) (Version: 3.2.0 - BitTorrent Inc.)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Reader X (10.1.0) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.0 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{308051DA-0048-7A07-FE8B-9B6EC119A9E8}) (Version: 8.0.915.0 - Advanced Micro Devices, Inc.)
Amnesia: The Dark Descent (HKLM-x32\...\Steam App 57300) (Version:  - )
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArtMoney SE v7.41 (HKLM-x32\...\ArtMoney SE_is1) (Version: 7.41 - System SoftLab)
avast! Internet Security (HKLM-x32\...\avast) (Version: 9.0.2021 - AVAST Software)
Bandicam (HKLM-x32\...\Bandicam) (Version: 2.1.2.740 - Bandisoft.com)
Bandisoft MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version:  - Bandisoft.com)
Battlefield 2(TM) Demo (HKLM-x32\...\{8BECF123-B0EF-4E51-B7F3-923EFE15CC4A}) (Version:  - )
Bing Bar (HKLM-x32\...\{B4089055-D468-45A4-A6BA-5A138DD715FC}) (Version: 7.0.850.0 - Microsoft Corporation)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Gigabit NetLink Controller (HKLM\...\{A84DB02B-9C2B-4272-9D2D-A80E00A56513}) (Version: 12.52.01 - Broadcom Corporation)
Call of Duty: Modern Warfare 3 - Multiplayer (HKLM-x32\...\Steam App 42690) (Version:  - Infinity Ward - Sledgehammer Games)
Castle Story (HKLM-x32\...\Steam App 227860) (Version:  - Sauropod Studio)
ccc-core-static (x32 Version: 2010.0505.2241.38914 - Ihr Firmenname) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 4.05 - Piriform)
Chivalry: Medieval Warfare (HKLM-x32\...\Steam App 219640) (Version:  - Torn Banner Studios)
Cloud System Booster (HKLM-x32\...\Cloud System Booster) (Version: 3.5 - Anvisoft)
Comodo Dragon (HKLM-x32\...\Comodo Dragon) (Version: 36.1.1.21 - Comodo)
Company of Heroes (New Steam Version) (HKLM-x32\...\Steam App 228200) (Version:  - )
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.0.2603 - CyberLink Corp.)
Dawn of War - Dark Crusade (HKLM-x32\...\{FF39FC01-819B-42E4-AE49-1968AF12DDD4}) (Version: 1.00.0000 - THQ)
DVD Architect Studio 5.0 (HKLM-x32\...\{04DF4A51-DE2A-11E0-9AB5-F04DA23A5C58}) (Version: 5.0.156 - Sony)
DVDVideoSoftTB DE Toolbar (HKLM-x32\...\DVDVideoSoftTB_DE Toolbar) (Version: 6.8.9.0 - DVDVideoSoftTB DE)
eazyzoom (HKLM-x32\...\{14803CA5-4974-4A33-82BC-3A2262F3A65A}) (Version: 1.1.0.30 - eazyzoom)
Energy Management (HKLM-x32\...\{0CE226F3-EB27-4ECD-BBF5-F088716779FD}) (Version: 5.4.1.6 - Lenovo)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
Free YouTube to MP3 Converter version 3.12.50.1111 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.50.1111 - DVDVideoSoft Ltd.)
GameRanger (HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\GameRanger) (Version:  - GameRanger Technologies)
GeekBuddy (HKLM-x32\...\{741FC38C-2797-4AC1-AD63-4B65F9CA8B20}) (Version: 4.9.73 - Comodo Security Solutions Inc)
GIMP 2.8.8 (HKLM\...\GIMP-2_is1) (Version: 2.8.8 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Hybrid TV (HKLM\...\{CF29845C-705E-4450-A3FF-1D4754455AB9}) (Version: 6.14.10373 - Lenovo)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.5.4.1001 - Intel Corporation)
InterVideo WinDVD 8 (HKLM-x32\...\InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}) (Version: 8.0.20.108 - InterVideo Inc.)
InterVideo WinDVD 8 (x32 Version: 8.0.20.108 - InterVideo Inc.) Hidden
iTunes (HKLM\...\{D601CEAD-2E4F-4BBB-85CC-C29A4CE6A3C0}) (Version: 11.1.3.8 - Apple Inc.)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
JavaFX 2.1.0 (HKLM-x32\...\{1111706F-666A-4037-7777-210328764D10}) (Version: 2.1.0 - Oracle Corporation)
JMicron Flash Media Controller Driver (HKLM-x32\...\{26604C7E-A313-4D12-867F-7C6E7820BE4C}) (Version: 1.0.41.2 - JMicron Technology Corp.)
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Lenovo Bluetooth with Enhanced Data Rate Software (HKLM\...\{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}) (Version: 6.2.1.1200 - Broadcom Corporation)
Lenovo DirectShare (HKLM-x32\...\InstallShield_{B2164CCB-C002-4B80-8550-7535D80DF237}) (Version: 1.0.1.38 - ArcSoft)
Lenovo DirectShare (x32 Version: 1.0.1.38 - ArcSoft) Hidden
Lenovo EasyCamera (HKLM-x32\...\{F5608FF7-17C0-440A-80C7-29C48363BD87}) (Version: 1.0.9.2 - Suyin Optronics Corp.)
Lenovo MuteSync (HKLM-x32\...\InstallShield_{2955FADE-ADED-44AD-A853-D1EAEA7ACAD5}) (Version: 1.0.0.2 - Lenovo)
Lenovo MuteSync (x32 Version: 1.0.0.2 - Lenovo) Hidden
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.1230 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 7.0.1230 - CyberLink Corp.) Hidden
Lenovo ReadyComm 5 (HKLM-x32\...\{17542DBF-E17C-4562-BC4D-FA3EF3076C45}) (Version: 5.1.1.22 - Lenovo)
Lenovo ReadyComm 5.0 Service (HKLM-x32\...\{76C66170-C538-4E77-B54D-48E136B5B533}) (Version: 5.0.0.1 - Lenovo Group Limited)
Lenovo SlideNav (HKLM-x32\...\Lenovo SlideNav2) (Version: 2.0.1230.0003 - Lenovo)
Lenovo SplitScreen (HKLM-x32\...\Lenovo SplitScreen) (Version: 1.00.1529.0001 - Lenovo)
Lenovo_Wireless_Driver (HKLM-x32\...\{28ABE740-47F3-441B-9437-852F6A64EFF8}) (Version: 1.02.01 - Lenovo)
Logitech Gaming Software 8.30 (HKLM\...\Logitech Gaming Software) (Version: 8.30.86 - Logitech Inc.)
Medieval II Total War (HKLM-x32\...\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}) (Version: 1.00.0000 - SEGA)
MegaTrainer eXperience V1.1.4.8 (HKLM-x32\...\MegaTrainer eXperience_is1) (Version:  - )
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Games for Windows - LIVE (HKLM-x32\...\{F112F66E-25CA-42DD-983C-6118EB38F606}) (Version: 3.0.89.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM-x32\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM-x32\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 (HKLM-x32\...\{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}) (Version: 9.0.30411 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 36.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 36.0 (x86 de)) (Version: 36.0 - Mozilla)
Mozilla Firefox 37.0.1 (x86 de) (HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\Mozilla Firefox 37.0.1 (x86 de)) (Version: 37.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 14.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Onekey Theater (HKLM-x32\...\{DFB19121-0609-49C1-92B1-546E5A940FE8}) (Version: 2.0.1.8 - Lenovo)
OpenOffice.org 3.4 (HKLM-x32\...\{4C552FD3-2CCD-4E00-AC64-0681DBB3F8B5}) (Version: 3.4.9590 - OpenOffice.org)
Origin (HKLM-x32\...\Origin) (Version: 9.0.15.65 - Electronic Arts, Inc.)
Oxelon Media Converter 1.1 (HKLM-x32\...\Oxelon Media Converter_is1) (Version:  - Oxelon)
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.4809d4 - CyberLink Corp.)
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Realtek HDMI Audio Driver for ATI (HKLM-x32\...\{5449FB4F-1802-4D5B-A6D8-087DB1142147}) (Version: 6.0.1.6034 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6096 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.49 - Piriform)
Rome - Total War - Gold Edition (HKLM-x32\...\{2E97F7E8-ABDE-4E0D-B0AD-B6B4BAD89E24}) (Version: 1.6 - The Creative Assembly)
Rome: Total War - Alexander (HKLM-x32\...\Steam App 4770) (Version:  - The Creative Assembly)
Rome: Total War (HKLM-x32\...\Steam App 4760) (Version:  - The Creative Assembly)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Sound Forge Audio Studio 10.0 (HKLM-x32\...\{0AA0DA00-A1D3-11E0-B9A9-005056C00008}) (Version: 10.0.176 - Sony)
Spotify (HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\Spotify) (Version: 0.9.13.24.g5dbb3103 - Spotify AB)
Spotydl 0.9.36.0 (HKLM-x32\...\Spotydl_is1) (Version: 0.9.36.0 - spotydl.com)
Star Wars Battlefront II (HKLM-x32\...\{3D374523-CFDE-461A-827E-2A102E2AB365}) (Version: 1.0 - LucasArts)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
supra DateSet (HKLM-x32\...\{F6BA8F2A-9DA9-49DA-BD57-9D45DA73FD74}) (Version: 1.1.0.0 - SUPRA Foto-Elektronik-Vertriebs-GmbH)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.0.19.1 - Synaptics Incorporated)
TeamSpeak 3 Client (HKU\S-1-5-21-1326109875-696039885-1899394854-1000\...\TeamSpeak 3 Client) (Version: 3.0.11 - TeamSpeak Systems GmbH)
Total War: SHOGUN 2 (HKLM-x32\...\Steam App 34330) (Version:  - The Creative Assembly)
Unturned (HKLM-x32\...\Steam App 304930) (Version:  - Nelson Sexton)
Vegas Movie Studio HD Platinum 11.0 (HKLM-x32\...\{7ED73E5E-7F67-11E1-9898-F04DA23A5C58}) (Version: 11.0.322 - Sony)
VeriFace (HKLM-x32\...\VeriFace) (Version: 3.6.0.1211 - Lenovo)
VirtualDJ Home FREE (HKLM-x32\...\{B515962D-C979-44AC-9912-F7BB499B4B2C}) (Version: 7.3 - Atomix Productions)
VLC media player 2.0.0 (HKLM-x32\...\VLC media player) (Version: 2.0.0 - VideoLAN)
WEB.DE MailCheck für Mozilla Firefox (HKLM-x32\...\1&1 Mail & Media GmbH Toolbar FF) (Version: 3.0.2.1739 - 1&1 Mail & Media GmbH)
Windows Driver Package - Broadcom Bluetooth  (01/06/2010 6.2.0.9416) (HKLM\...\DFEA59689C004DFD0378309F3A583EA32D78A1B3) (Version: 01/06/2010 6.2.0.9416 - Broadcom)
Windows Driver Package - Broadcom HIDClass  (07/28/2009 6.2.0.9800) (HKLM\...\3BA80AB4C7E9F8497C115C844953A3D4BEB84D21) (Version: 07/28/2009 6.2.0.9800 - Broadcom)
Windows Driver Package - YUAN High-Tech Development Co., Ltd (ATIAVPCI) MEDIA  (07/16/2009 6.14.10.373) (HKLM\...\DF9F23E360B18E10871A49C3BC1AEDA269B8E0E2) (Version: 07/16/2009 6.14.10.373 - YUAN High-Tech Development Co., Ltd)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{76618402-179D-4699-A66B-D351C59436BC}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live-Uploadtool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows-Treiberpaket - Lenovo (ACPIVPC) System  (10/19/2009 5.4.0.1) (HKLM\...\0A4175B489A1B4A6E07E11B063A6263480C51D71) (Version: 10/19/2009 5.4.0.1 - Lenovo)
WinRAR 4.20 (32-Bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
WSOP.com (HKLM-x32\...\WSOP.com) (Version:  - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1326109875-696039885-1899394854-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1326109875-696039885-1899394854-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1326109875-696039885-1899394854-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1326109875-696039885-1899394854-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1326109875-696039885-1899394854-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> No File Path

==================== Restore Points  =========================

05-04-2015 00:16:15 Geplanter Prüfpunkt
06-04-2015 14:26:30 Windows-Sicherung
07-04-2015 11:42:46 Wiederherstellungsvorgang
08-04-2015 22:39:59 Removed Google Talk Plugin

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {019C4EE4-8602-443B-B7F7-9BB84811FF50} - System32\Tasks\{7F83CC93-BB73-45BD-A64E-305A81C59F66} => pcalua.exe -a C:\Users\User\Downloads\WSOPOnline.exe -d C:\Users\User\Downloads
Task: {03E721F7-18D4-4820-B24E-A371781C8942} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: {11C9932B-AE16-4357-88FB-AAD977D7934A} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-09-08] (AVAST Software)
Task: {1746E1E2-95D9-4AC5-B87B-06D15D0040FD} - System32\Tasks\avastBCLRestartS-1-5-21-1326109875-696039885-1899394854-1000 => Firefox.exe 
Task: {2C0FF014-B70C-4453-BBF7-8130A039A476} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-08-21] (Piriform Ltd)
Task: {4A459AA6-AC6F-46C1-B353-05CB02B3408D} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: {5978DAA9-5B2F-4345-A9A2-00C1FAA537F1} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: {5BF0B4AB-CF15-48B7-AC1A-3CE2E920C046} - System32\Tasks\{8F48537E-E013-4CC4-AA52-92991BB1A788} => C:\Program Files (x86)\Steam\Steam.exe [2015-03-24] (Valve Corporation)
Task: {91C85EE1-62B1-491C-B629-30FFC9207324} - System32\Tasks\{1FC9BAE6-FD94-41AE-9235-315F0D85462D} => C:\Program Files (x86)\The Creative Assembly\Rome - Total War\RomeTW.exe
Task: {959A8A3E-DBB8-4081-9AD6-9E004666C874} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-08] (Adobe Systems Incorporated)
Task: {972B1CE5-8C1B-453F-8A53-6A814FAA8509} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-17] (Google Inc.)
Task: {9A6D414B-6110-457F-88C2-3CE15858FB0B} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-25] (Microsoft Corporation)
Task: {9DF028DD-3CBC-4720-9362-EB3523350DB7} - System32\Tasks\{59AF354B-FA4C-4185-9BF8-3DD687F9A553} => C:\Program Files (x86)\Steam\Steam.exe [2015-03-24] (Valve Corporation)
Task: {AB8B5C03-329D-481A-91A0-40F377C76CEB} - System32\Tasks\{0D6163AB-BEEA-42F2-8C72-CE97D4D97549} => C:\Program Files (x86)\Sony Vegas Movie Studio\Vegas Movie Studio HD Platinum 11.0\VegasMovieStudioPE110.exe [2012-04-05] (Sony Creative Software Inc.)
Task: {AFE5FDC8-FBFB-4FA4-8950-43FDBD044922} - System32\Tasks\{8E905D90-C6AB-42B3-B093-C33BF54BD2B0} => pcalua.exe -a "C:\Program Files (x86)\GameSpy Arcade\Aphex.exe" -d C:\PROGRA~2\GAMESP~1
Task: {CCA14B64-7DB2-423B-93BC-08CCE6D376F6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-17] (Google Inc.)
Task: {F1EAA952-31FE-45F2-8D1E-557F15A93D9B} - System32\Tasks\{6BFF4D1A-FE9C-4AA9-A351-E0EFA5C50DF5} => C:\Users\User\Desktop\Games\age 2\age2_x1.exe [2000-08-08] (Microsoft Corporation)
Task: {FFADDA8D-6D23-4814-B84E-19F25D8673A2} - System32\Tasks\{C20ACD1A-3F8F-40B7-B054-E71BAB166859} => pcalua.exe -a "C:\Users\User\Desktop\Games\age 2\Setupreg.exe" -d "C:\Users\User\Desktop\Games\age 2"
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2012-05-11 11:03 - 2009-12-19 04:52 - 00201120 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect64.dll
2012-05-11 11:03 - 2009-12-19 04:53 - 00156576 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll64.dll
2012-05-11 11:14 - 2012-05-11 11:14 - 01502720 _____ () C:\windows\system32\IcnOvrly.dll
2013-08-05 08:15 - 2013-08-05 08:15 - 00070712 _____ () C:\windows\system32\bdmpega64.acm
2010-01-12 18:15 - 2010-01-12 18:15 - 00173344 _____ () C:\Program Files\Lenovo\Bluetooth Software\btkeyind.dll
2012-05-11 11:05 - 2009-07-15 17:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2012-05-11 11:03 - 2009-12-19 04:52 - 00100256 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
2012-05-11 11:05 - 2009-07-15 17:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2008-05-21 12:59 - 2008-05-21 12:59 - 00016384 ____R () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2012-05-11 10:44 - 2012-05-11 10:44 - 00270336 _____ () C:\windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2015-04-08 22:47 - 2015-04-08 22:47 - 00050477 _____ () C:\Users\User\Downloads\Defogger.exe
2014-09-08 17:03 - 2014-09-08 17:03 - 00301152 _____ () C:\Program Files\AVAST Software\Avast\aswProperty.dll
2015-04-08 15:06 - 2015-04-08 15:06 - 02925056 _____ () C:\Program Files\AVAST Software\Avast\defs\15040801\algo.dll
2015-04-08 21:54 - 2015-04-08 21:54 - 02925056 _____ () C:\Program Files\AVAST Software\Avast\defs\15040802\algo.dll
2012-02-20 21:29 - 2012-02-20 21:29 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2012-02-20 21:28 - 2012-02-20 21:28 - 01242472 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2012-05-11 11:03 - 2009-12-19 04:50 - 00161696 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect32.dll
2012-05-11 11:03 - 2009-12-19 04:51 - 00133024 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll32.dll
2012-05-11 11:14 - 2012-05-11 11:14 - 00492896 _____ () C:\Program Files (x86)\Lenovo\VeriFace\ChooseLang.dll
2014-09-08 17:03 - 2014-09-08 17:03 - 19329904 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2012-05-11 10:36 - 2009-11-20 17:19 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2015-02-04 23:09 - 2015-02-04 23:09 - 16852144 _____ () C:\windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll
2012-12-07 16:16 - 2012-12-07 16:16 - 22224096 _____ () C:\Users\User\AppData\Roaming\GameRanger\GameRanger Prefs\Components\libcef.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1326109875-696039885-1899394854-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\User\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: CLPSLauncher => 2
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"

==================== Accounts: =============================

Administrator (S-1-5-21-1326109875-696039885-1899394854-500 - Administrator - Disabled)
Gast (S-1-5-21-1326109875-696039885-1899394854-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1326109875-696039885-1899394854-1002 - Limited - Enabled)
User (S-1-5-21-1326109875-696039885-1899394854-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

Name: avast! Firewall NDIS Filter Miniport
Description: avast! Firewall NDIS Filter Miniport
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: ALWIL Software
Service: aswNdis
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.

Name: Broadcom BCM2070 Bluetooth 2.1+EDR USB Device
Description: Broadcom BCM2070 Bluetooth 2.1+EDR USB Device
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: Broadcom
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Fehler beim Kryptografiedienst während der Verarbeitung des "OnIdentity()"-Aufrufobjekts "System Writer".


Details:
AddWin32ServiceFiles: Unable to back up image of service jimshle since QueryServiceConfig API failed

System Error:
Zugriff verweigert
.

Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Fehler beim Kryptografiedienst während der Verarbeitung des "OnIdentity()"-Aufrufobjekts "System Writer".


Details:
AddWin32ServiceFiles: Unable to back up image of service isazpav since QueryServiceConfig API failed

System Error:
Zugriff verweigert
.

Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Fehler beim Kryptografiedienst während der Verarbeitung des "OnIdentity()"-Aufrufobjekts "System Writer".


Details:
AddLegacyDriverFiles: Unable to back up image of binary tammgR119 service.

System Error:
Zugriff verweigert
.

Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Fehler beim Kryptografiedienst während der Verarbeitung des "OnIdentity()"-Aufrufobjekts "System Writer".


Details:
AddLegacyDriverFiles: Unable to back up image of binary tammgF119 service.

System Error:
Zugriff verweigert
.

Error: (04/08/2015 02:52:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: plugin-container.exe, Version: 37.0.1.5570, Zeitstempel: 0x551e23ee
Name des fehlerhaften Moduls: mozalloc.dll, Version: 37.0.1.5570, Zeitstempel: 0x551e1536
Ausnahmecode: 0x80000003
Fehleroffset: 0x00001aa1
ID des fehlerhaften Prozesses: 0xda0
Startzeit der fehlerhaften Anwendung: 0xplugin-container.exe0
Pfad der fehlerhaften Anwendung: plugin-container.exe1
Pfad des fehlerhaften Moduls: plugin-container.exe2
Berichtskennung: plugin-container.exe3

Error: (04/07/2015 00:37:07 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Unbekannter Fehler bei der Systemwiederherstellung: (Windows-Sicherung). Zusätzliche Informationen: 0x80070057.

Error: (04/07/2015 00:22:29 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Unbekannter Fehler bei der Systemwiederherstellung: (Wiederherstellungsvorgang). Zusätzliche Informationen: 0x80070057.

Error: (04/07/2015 00:13:23 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Unbekannter Fehler bei der Systemwiederherstellung: (Windows-Sicherung). Zusätzliche Informationen: 0x80070057.

Error: (04/07/2015 00:01:11 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Unbekannter Fehler bei der Systemwiederherstellung: (Geplanter Prüfpunkt). Zusätzliche Informationen: 0x80070057.

Error: (04/07/2015 11:42:53 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Fehler beim Kryptografiedienst während der Verarbeitung des "OnIdentity()"-Aufrufobjekts "System Writer".


Details:
AddWin32ServiceFiles: Unable to back up image of service jimshle since QueryServiceConfig API failed

System Error:
Zugriff verweigert
.


System errors:
=============
Error: (04/08/2015 09:54:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "ReadyComm.DirectRouter" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (04/08/2015 09:51:10 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
CFRMD

Error: (04/08/2015 11:00:44 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "ReadyComm.DirectRouter" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (04/08/2015 10:57:49 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
CFRMD

Error: (04/08/2015 10:56:26 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Search Protect by Conduit Service" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (04/08/2015 10:50:56 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "ReadyComm.DirectRouter" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (04/08/2015 10:48:19 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
CFRMD

Error: (04/07/2015 07:55:42 PM) (Source: BROWSER) (EventID: 8032) (User: )
Description: Das Einlesen der Sicherungsliste durch den Suchdienst schlug auf Transport "\Device\NetBT_Tcpip_{1E289F5C-2B70-48AE-BC49-3CD6168DF27C}" zu oft fehl.
Der Sicherungssuchdienst wird beendet.

Error: (04/07/2015 07:31:46 PM) (Source: bowser) (EventID: 8003) (User: )
Description: Der Hauptsuchdienst erhielt eine Serverankündigung vom Computer "MARTIN-VAIO",
der der Hauptsuchdienst der Domäne für den NetBT_Tcpip_{1E289F5C-2B70-48AE-BC49-3CD6168DF27C}-Transport zu sein scheint.
Der Hauptsuchdienst wurde beendet oder es wird eine Auswahl erzwungen.

Error: (04/07/2015 00:43:01 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: Der Dienst "Windows Update" wurde nicht richtig gestartet.


Microsoft Office Sessions:
=========================
Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 
Details:
AddWin32ServiceFiles: Unable to back up image of service jimshle since QueryServiceConfig API failed

System Error:
Zugriff verweigert

Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 
Details:
AddWin32ServiceFiles: Unable to back up image of service isazpav since QueryServiceConfig API failed

System Error:
Zugriff verweigert

Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 
Details:
AddLegacyDriverFiles: Unable to back up image of binary tammgR119 service.

System Error:
Zugriff verweigert

Error: (04/08/2015 10:40:11 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 
Details:
AddLegacyDriverFiles: Unable to back up image of binary tammgF119 service.

System Error:
Zugriff verweigert

Error: (04/08/2015 02:52:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe37.0.1.5570551e23eemozalloc.dll37.0.1.5570551e15368000000300001aa1da001d071f5e0a77d7fD:\Programme\plugin-container.exeD:\Programme\mozalloc.dll0cf797a7-ddee-11e4-b7a7-e89a8fd864ed

Error: (04/07/2015 00:37:07 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Windows-Sicherung0x80070057

Error: (04/07/2015 00:22:29 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Wiederherstellungsvorgang0x80070057

Error: (04/07/2015 00:13:23 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Windows-Sicherung0x80070057

Error: (04/07/2015 00:01:11 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Geplanter Prüfpunkt0x80070057

Error: (04/07/2015 11:42:53 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 
Details:
AddWin32ServiceFiles: Unable to back up image of service jimshle since QueryServiceConfig API failed

System Error:
Zugriff verweigert


CodeIntegrity Errors:
===================================
  Date: 2015-04-07 19:59:50.679
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-07 19:15:51.459
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-07 13:52:45.607
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-07 13:09:15.175
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-05 11:46:56.727
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-04 00:20:31.755
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-03 01:25:18.010
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-03 00:19:41.020
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-02 21:34:43.129
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2015-04-02 16:23:42.701
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Windows\System32\dsound.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i7 CPU Q 740 @ 1.73GHz
Percentage of memory in use: 37%
Total physical RAM: 8124.56 MB
Available physical RAM: 5103.86 MB
Total Pagefile: 16247.31 MB
Available Pagefile: 12890.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:421.81 GB) (Free:140.48 GB) NTFS
Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:24.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: BB2F74B2)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=421.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=29 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=14.8 GB) - (Type=12)

==================== End Of Log ============================
         
--- --- ---

Alt 09.04.2015, 12:44   #5
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

gmer1



Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-04-08 23:28:33
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB
Running: Gmer-19357.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys


---- User code sections - GMER 2.1 ----

.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                          00000000777a1360 5 bytes JMP 000000014a350460
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                   00000000777a13b0 5 bytes JMP 000000014a350450
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                   00000000777a1510 5 bytes JMP 000000014a350370
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                        00000000777a1560 5 bytes JMP 000000014a350470
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                              00000000777a1570 5 bytes JMP 000000014a3503e0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                   00000000777a1620 5 bytes JMP 000000014a350320
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                            00000000777a1650 5 bytes JMP 000000014a3503b0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                               00000000777a1670 5 bytes JMP 000000014a350390
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                     00000000777a16b0 5 bytes JMP 000000014a3502e0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                   00000000777a1730 5 bytes JMP 000000014a3502d0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                 00000000777a1750 5 bytes JMP 000000014a350310
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                  00000000777a1790 5 bytes JMP 000000014a3503c0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                               00000000777a17e0 5 bytes JMP 000000014a3503f0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                  00000000777a1940 5 bytes JMP 000000014a350230
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                       00000000777a1b00 5 bytes JMP 000000014a350480
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                      00000000777a1b30 5 bytes JMP 000000014a3503a0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                               00000000777a1c10 5 bytes JMP 000000014a3502f0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                            00000000777a1c20 5 bytes JMP 000000014a350350
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                  00000000777a1c80 5 bytes JMP 000000014a350290
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                               00000000777a1d10 5 bytes JMP 000000014a3502b0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                00000000777a1d30 5 bytes JMP 000000014a3503d0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                   00000000777a1d40 5 bytes JMP 000000014a350330
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                            00000000777a1db0 5 bytes JMP 000000014a350410
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                               00000000777a1de0 5 bytes JMP 000000014a350240
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                    00000000777a20a0 5 bytes JMP 000000014a3501e0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                               00000000777a2160 5 bytes JMP 000000014a350250
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                               00000000777a2190 5 bytes JMP 000000014a350490
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                      00000000777a21a0 5 bytes JMP 000000014a3504a0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                 00000000777a21d0 5 bytes JMP 000000014a350300
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                              00000000777a21e0 5 bytes JMP 000000014a350360
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                    00000000777a2240 5 bytes JMP 000000014a3502a0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                 00000000777a2290 5 bytes JMP 000000014a3502c0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                    00000000777a22c0 5 bytes JMP 000000014a350380
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                     00000000777a22d0 5 bytes JMP 000000014a350340
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                              00000000777a25c0 5 bytes JMP 000000014a350440
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                             00000000777a27c0 5 bytes JMP 000000014a350260
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                00000000777a27d0 5 bytes JMP 000000014a350270
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                              00000000777a27e0 5 bytes JMP 000000014a350400
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                          00000000777a29a0 5 bytes JMP 000000014a3501f0
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                           00000000777a29b0 5 bytes JMP 000000014a350210
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                00000000777a2a20 5 bytes JMP 000000014a350200
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                00000000777a2a80 5 bytes JMP 000000014a350420
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                 00000000777a2a90 5 bytes JMP 000000014a350430
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                            00000000777a2aa0 5 bytes JMP 000000014a350220
.text    C:\windows\system32\csrss.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                    00000000777a2b80 5 bytes JMP 000000014a350280
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                          00000000777a1360 5 bytes JMP 000000014a350460
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                   00000000777a13b0 5 bytes JMP 000000014a350450
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                   00000000777a1510 5 bytes JMP 000000014a350370
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                        00000000777a1560 5 bytes JMP 000000014a350470
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                              00000000777a1570 5 bytes JMP 000000014a3503e0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                   00000000777a1620 5 bytes JMP 000000014a350320
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                            00000000777a1650 5 bytes JMP 000000014a3503b0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                               00000000777a1670 5 bytes JMP 000000014a350390
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                     00000000777a16b0 5 bytes JMP 000000014a3502e0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                   00000000777a1730 5 bytes JMP 000000014a3502d0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                 00000000777a1750 5 bytes JMP 000000014a350310
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                  00000000777a1790 5 bytes JMP 000000014a3503c0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                               00000000777a17e0 5 bytes JMP 000000014a3503f0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                  00000000777a1940 5 bytes JMP 000000014a350230
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                       00000000777a1b00 5 bytes JMP 000000014a350480
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                      00000000777a1b30 5 bytes JMP 000000014a3503a0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                               00000000777a1c10 5 bytes JMP 000000014a3502f0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                            00000000777a1c20 5 bytes JMP 000000014a350350
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                  00000000777a1c80 5 bytes JMP 000000014a350290
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                               00000000777a1d10 5 bytes JMP 000000014a3502b0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                00000000777a1d30 5 bytes JMP 000000014a3503d0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                   00000000777a1d40 5 bytes JMP 000000014a350330
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                            00000000777a1db0 5 bytes JMP 000000014a350410
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                               00000000777a1de0 5 bytes JMP 000000014a350240
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                    00000000777a20a0 5 bytes JMP 000000014a3501e0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                               00000000777a2160 5 bytes JMP 000000014a350250
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                               00000000777a2190 5 bytes JMP 000000014a350490
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                      00000000777a21a0 5 bytes JMP 000000014a3504a0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                 00000000777a21d0 5 bytes JMP 000000014a350300
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                              00000000777a21e0 5 bytes JMP 000000014a350360
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                    00000000777a2240 5 bytes JMP 000000014a3502a0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                 00000000777a2290 5 bytes JMP 000000014a3502c0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                    00000000777a22c0 5 bytes JMP 000000014a350380
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                     00000000777a22d0 5 bytes JMP 000000014a350340
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                              00000000777a25c0 5 bytes JMP 000000014a350440
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                             00000000777a27c0 5 bytes JMP 000000014a350260
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                00000000777a27d0 5 bytes JMP 000000014a350270
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                              00000000777a27e0 5 bytes JMP 000000014a350400
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                          00000000777a29a0 5 bytes JMP 000000014a3501f0
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                           00000000777a29b0 5 bytes JMP 000000014a350210
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                00000000777a2a20 5 bytes JMP 000000014a350200
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                00000000777a2a80 5 bytes JMP 000000014a350420
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                 00000000777a2a90 5 bytes JMP 000000014a350430
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                            00000000777a2aa0 5 bytes JMP 000000014a350220
.text    C:\windows\system32\csrss.exe[676] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                    00000000777a2b80 5 bytes JMP 000000014a350280
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                        00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                 00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                 00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                      00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                            00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                 00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                          00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                             00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                   00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                 00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                               00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                             00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                     00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                    00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                             00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                          00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                             00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                              00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                 00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                          00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                             00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                  00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                             00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                             00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                    00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                               00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                            00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                  00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                               00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                  00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                   00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                            00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                           00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                              00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                            00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                        00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                         00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                              00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                              00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                               00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                          00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\wininit.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                  00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\wininit.exe[684] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                       000000007758ef8d 1 byte [62]
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\winlogon.exe[744] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\winlogon.exe[744] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                      000000007758ef8d 1 byte [62]
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\services.exe[784] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\services.exe[784] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                      000000007758ef8d 1 byte [62]
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                          00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                   00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                   00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                        00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                              00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                   00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                            00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                               00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                     00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                   00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                 00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                  00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                               00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                  00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                       00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                      00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                               00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                            00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                  00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                               00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                   00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                            00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                               00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                    00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                               00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                               00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                      00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                 00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                              00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                    00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                 00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                    00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                     00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                              00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                             00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                              00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                          00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                           00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                 00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                            00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\lsass.exe[800] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                    00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                            00000000777a1360 5 bytes JMP 0000000100070460
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                     00000000777a13b0 5 bytes JMP 0000000100070450
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                     00000000777a1510 5 bytes JMP 0000000100070370
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                          00000000777a1560 5 bytes JMP 0000000100070470
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                00000000777a1570 5 bytes JMP 00000001000703e0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                     00000000777a1620 5 bytes JMP 0000000100070320
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                              00000000777a1650 5 bytes JMP 00000001000703b0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                 00000000777a1670 5 bytes JMP 0000000100070390
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                       00000000777a16b0 5 bytes JMP 00000001000702e0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                     00000000777a1730 5 bytes JMP 00000001000702d0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                   00000000777a1750 5 bytes JMP 0000000100070310
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                    00000000777a1790 5 bytes JMP 00000001000703c0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                 00000000777a17e0 5 bytes JMP 00000001000703f0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                    00000000777a1940 5 bytes JMP 0000000100070230
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                         00000000777a1b00 5 bytes JMP 0000000100070480
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                        00000000777a1b30 5 bytes JMP 00000001000703a0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                 00000000777a1c10 5 bytes JMP 00000001000702f0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                              00000000777a1c20 5 bytes JMP 0000000100070350
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                    00000000777a1c80 5 bytes JMP 0000000100070290
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                 00000000777a1d10 5 bytes JMP 00000001000702b0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                  00000000777a1d30 5 bytes JMP 00000001000703d0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                     00000000777a1d40 5 bytes JMP 0000000100070330
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                              00000000777a1db0 5 bytes JMP 0000000100070410
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                 00000000777a1de0 5 bytes JMP 0000000100070240
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                      00000000777a20a0 5 bytes JMP 00000001000701e0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                 00000000777a2160 5 bytes JMP 0000000100070250
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                 00000000777a2190 5 bytes JMP 0000000100070490
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                        00000000777a21a0 5 bytes JMP 00000001000704a0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                   00000000777a21d0 5 bytes JMP 0000000100070300
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                00000000777a21e0 5 bytes JMP 0000000100070360
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                      00000000777a2240 5 bytes JMP 00000001000702a0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                   00000000777a2290 5 bytes JMP 00000001000702c0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                      00000000777a22c0 5 bytes JMP 0000000100070380
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                       00000000777a22d0 5 bytes JMP 0000000100070340
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                00000000777a25c0 5 bytes JMP 0000000100070440
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                               00000000777a27c0 5 bytes JMP 0000000100070260
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                  00000000777a27d0 5 bytes JMP 0000000100070270
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                00000000777a27e0 5 bytes JMP 0000000100070400
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                            00000000777a29a0 5 bytes JMP 00000001000701f0
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                             00000000777a29b0 5 bytes JMP 0000000100070210
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                  00000000777a2a20 5 bytes JMP 0000000100070200
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                  00000000777a2a80 5 bytes JMP 0000000100070420
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                   00000000777a2a90 5 bytes JMP 0000000100070430
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                              00000000777a2aa0 5 bytes JMP 0000000100070220
.text    C:\windows\system32\lsm.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                      00000000777a2b80 5 bytes JMP 0000000100070280
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                        00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                 00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                 00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                      00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                            00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                 00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                          00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                             00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                   00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                 00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                               00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                             00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                     00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                    00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                             00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                          00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                             00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                              00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                 00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                          00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                             00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                  00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                             00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                             00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                    00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                               00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                            00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                  00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore
         


Alt 09.04.2015, 12:46   #6
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

gmer 2



Code:
ATTFilter
       00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                  00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                   00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                            00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                           00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                              00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                            00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                        00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                         00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                              00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                              00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                               00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                          00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\svchost.exe[908] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                  00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\svchost.exe[1000] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\svchost.exe[1000] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                      000000007758ef8d 1 byte [62]
.text    C:\windows\system32\atiesrxx.exe[536] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                      000000007758ef8d 1 byte [62]
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                        00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                 00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                 00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                      00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                            00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                 00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                          00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                             00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                   00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                 00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                               00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                             00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                     00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                    00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                             00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                          00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                             00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                              00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                 00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                          00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                             00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                  00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                             00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                             00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                    00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                               00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                            00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                  00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                               00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                  00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                   00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                            00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                           00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                              00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                            00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                        00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                         00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                              00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                              00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                               00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                          00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\System32\svchost.exe[616] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                  00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                        00000000777a1360 5 bytes JMP 0000000100070460
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                 00000000777a13b0 5 bytes JMP 0000000100070450
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                 00000000777a1510 5 bytes JMP 0000000100070370
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                      00000000777a1560 5 bytes JMP 0000000100070470
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                            00000000777a1570 5 bytes JMP 00000001000703e0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                 00000000777a1620 5 bytes JMP 0000000100070320
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                          00000000777a1650 5 bytes JMP 00000001000703b0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                             00000000777a1670 5 bytes JMP 0000000100070390
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                   00000000777a16b0 5 bytes JMP 00000001000702e0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                 00000000777a1730 5 bytes JMP 00000001000702d0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                               00000000777a1750 5 bytes JMP 0000000100070310
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                00000000777a1790 5 bytes JMP 00000001000703c0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                             00000000777a17e0 5 bytes JMP 00000001000703f0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                00000000777a1940 5 bytes JMP 0000000100070230
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                     00000000777a1b00 5 bytes JMP 0000000100070480
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                    00000000777a1b30 5 bytes JMP 00000001000703a0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                             00000000777a1c10 5 bytes JMP 00000001000702f0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                          00000000777a1c20 5 bytes JMP 0000000100070350
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                00000000777a1c80 5 bytes JMP 0000000100070290
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                             00000000777a1d10 5 bytes JMP 00000001000702b0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                              00000000777a1d30 5 bytes JMP 00000001000703d0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                 00000000777a1d40 5 bytes JMP 0000000100070330
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                          00000000777a1db0 5 bytes JMP 0000000100070410
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                             00000000777a1de0 5 bytes JMP 0000000100070240
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                  00000000777a20a0 5 bytes JMP 00000001000701e0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                             00000000777a2160 5 bytes JMP 0000000100070250
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                             00000000777a2190 5 bytes JMP 0000000100070490
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                    00000000777a21a0 5 bytes JMP 00000001000704a0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                               00000000777a21d0 5 bytes JMP 0000000100070300
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                            00000000777a21e0 5 bytes JMP 0000000100070360
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                  00000000777a2240 5 bytes JMP 00000001000702a0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                               00000000777a2290 5 bytes JMP 00000001000702c0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                  00000000777a22c0 5 bytes JMP 0000000100070380
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                   00000000777a22d0 5 bytes JMP 0000000100070340
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                            00000000777a25c0 5 bytes JMP 0000000100070440
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                           00000000777a27c0 5 bytes JMP 0000000100070260
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                              00000000777a27d0 5 bytes JMP 0000000100070270
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                            00000000777a27e0 5 bytes JMP 0000000100070400
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                        00000000777a29a0 5 bytes JMP 00000001000701f0
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                         00000000777a29b0 5 bytes JMP 0000000100070210
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                              00000000777a2a20 5 bytes JMP 0000000100070200
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                              00000000777a2a80 5 bytes JMP 0000000100070420
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                               00000000777a2a90 5 bytes JMP 0000000100070430
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                          00000000777a2aa0 5 bytes JMP 0000000100070220
.text    C:\windows\System32\svchost.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                  00000000777a2b80 5 bytes JMP 0000000100070280
.text    C:\windows\System32\svchost.exe[672] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                       000000007758ef8d 1 byte [62]
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                        00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                 00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                 00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                      00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                            00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                 00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                          00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                             00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                   00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                 00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                               00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                             00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                     00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                    00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                             00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                          00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                             00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                              00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                 00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                          00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                             00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                  00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                             00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                             00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                    00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                               00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                            00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                  00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                               00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                  00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                   00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                            00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                           00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                              00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                            00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                        00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                         00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                              00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                              00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                               00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                          00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\svchost.exe[552] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                  00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\svchost.exe[792] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                       000000007758ef8d 1 byte [62]
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\AUDIODG.EXE[1092] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                      00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                               00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                               00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                    00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                          00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                               00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                        00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                           00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                 00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                               00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                             00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                              00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                           00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                              00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                   00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                  00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                           00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                        00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                              00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                           00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                            00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                               00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                        00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                           00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                           00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                           00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                  00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                             00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                          00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                             00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                 00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                          00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                         00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                            00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                          00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                      00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                       00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                            00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                            00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                             00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                        00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\atieclxx.exe[1236] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\svchost.exe[1348] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\System32\spoolsv.exe[1740] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
         

Alt 09.04.2015, 12:47   #7
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

gmer 3



Code:
ATTFilter
.text    C:\windows\system32\svchost.exe[1808] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                      00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                               00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                               00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                    00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                          00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                               00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                        00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                           00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                 00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                               00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                             00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                              00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                           00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                              00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                   00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                  00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                           00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                        00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                              00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                           00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                            00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                               00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                        00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                           00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                           00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                           00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                  00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                             00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                          00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                             00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                 00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                          00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                         00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                            00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                          00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                      00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                       00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                            00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                            00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                             00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                        00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                                             0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                     000000007758ef8d 1 byte [62]
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                         000007fefd828ef0 5 bytes JMP 000007fffd7700b8
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                                                         000007fefd82bfd0 5 bytes JMP 000007fffd770038
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\ole32.dll!CoCreateInstance                                                                                            000007fefea37490 5 bytes JMP 000007fffd770138
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\WINMM.dll!waveOutReset                                                                                                000007fefb1da38c 5 bytes JMP 000007fefd7702b8
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\WINMM.dll!waveOutPause                                                                                                000007fefb1f4b60 5 bytes JMP 000007fefd770238
.text    C:\windows\system32\taskhost.exe[1936] C:\windows\system32\WINMM.dll!waveOutRestart                                                                                              000007fefb1f4ba0 5 bytes JMP 000007fefd7701b8
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter                                                             0000000077208791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                    000000007722a2fd 1 byte [62]
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                  0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                    0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                  0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                  0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                     0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                              0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                     0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                              0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                    0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                         0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                  0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                    0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                       0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                    0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                  0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                              0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\afwServ.exe[2008] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                              0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                         000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                       0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                         0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                       0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                       0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                          0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                   0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                          0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                   0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                         0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                              0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                       0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                         0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                            0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                         0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                       0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                   0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                   0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Anvisoft\Cloud System Booster\CSBSvc.exe[1840] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                      000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2156] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                         000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2452] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                 000000007722a2fd 1 byte [62]
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                         00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                         00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                              00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                  00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                     00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                           00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                         00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                        00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                            00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                     00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                  00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                        00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                     00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                         00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                  00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                     00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                     00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                     00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                            00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                       00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                    00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                          00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                       00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                          00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                           00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                    00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                   00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                      00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                    00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                 00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                      00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                       00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                          00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2552] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                               000000007758ef8d 1 byte [62]
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                          000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                        0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                          0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                        0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                        0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                           0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                    0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                           0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                    0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                          0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                               0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                        0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                          0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                             0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                          0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                        0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                    0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                    0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                                           000000007722a2fd 1 byte [62]
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                         0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                           0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                         0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                         0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                            0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                     0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                            0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                     0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                           0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                         0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                           0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                              0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                           0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                         0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                     0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2868] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                     0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                                                           000000007722a2fd 1 byte [62]
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                         0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                           0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                         0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                         0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                            0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                     0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                            0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                     0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                           0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                         0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                           0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                              0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                           0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                         0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                     0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program[2908] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                     0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2944] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                       000000007722a2fd 1 byte [62]
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                               00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                        00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                        00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                             00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                   00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                        00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                 00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                    00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                          00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                        00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                      00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                       00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                    00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                       00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                            00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                           00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                    00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                 00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                       00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                    00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                     00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                        00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                 00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                    00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                         00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                    00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                    00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                           00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                      00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                   00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                         00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                      00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                         00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                          00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                   00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                  00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                     00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                   00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                               00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                     00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                     00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                      00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                 00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2724] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                         00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                 00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                          00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                          00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                               00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                   00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                      00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                            00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                          00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                         00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                             00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                      00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                   00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                         00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                      00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                          00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                   00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                      00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                      00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                      00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                             00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                        00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                     00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                           00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                        00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                           00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                            00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                     00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                    00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                       00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                     00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                  00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                       00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                        00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\SearchIndexer.exe[3544] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                           00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                           00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                    00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                    00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                         00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                               00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                    00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                             00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                      00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                    00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                  00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                   00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                   00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                        00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                       00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                             00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                   00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                 00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                    00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                             00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                     00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                       00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                  00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                               00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                     00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                  00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                     00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                      00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                               00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                              00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                 00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                               00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                           00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                            00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                 00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                 00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                  00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                             00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                     00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                                                  0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                          000000007758ef8d 1 byte [62]
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                              000007fefd828ef0 5 bytes JMP 000007fffd8100b8
.text    C:\windows\system32\Dwm.exe[3724] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                                                              000007fefd82bfd0 5 bytes JMP 000007fffd810038
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                               00000000777a1360 5 bytes JMP 0000000100070460
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                        00000000777a13b0 5 bytes JMP 0000000100070450
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                        00000000777a1510 5 bytes JMP 0000000100070370
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                             00000000777a1560 5 bytes JMP 0000000100070470
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                                   00000000777a1570 5 bytes JMP 00000001000703e0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                        00000000777a1620 5 bytes JMP 0000000100070320
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                 00000000777a1650 5 bytes JMP 00000001000703b0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                                    00000000777a1670 5 bytes JMP 0000000100070390
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                          00000000777a16b0 5 bytes JMP 00000001000702e0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                        00000000777a1730 5 bytes JMP 00000001000702d0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                                      00000000777a1750 5 bytes JMP 0000000100070310
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                                       00000000777a1790 5 bytes JMP 00000001000703c0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                                    00000000777a17e0 5 bytes JMP 00000001000703f0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                                       00000000777a1940 5 bytes JMP 0000000100070230
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                            00000000777a1b00 5 bytes JMP 0000000100070480
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                           00000000777a1b30 5 bytes JMP 00000001000703a0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                                    00000000777a1c10 5 bytes JMP 00000001000702f0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                                 00000000777a1c20 5 bytes JMP 0000000100070350
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                                       00000000777a1c80 5 bytes JMP 0000000100070290
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                                    00000000777a1d10 5 bytes JMP 00000001000702b0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                     00000000777a1d30 5 bytes JMP 00000001000703d0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                        00000000777a1d40 5 bytes JMP 0000000100070330
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                                 00000000777a1db0 5 bytes JMP 0000000100070410
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                                    00000000777a1de0 5 bytes JMP 0000000100070240
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                         00000000777a20a0 5 bytes JMP 00000001000701e0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                                    00000000777a2160 5 bytes JMP 0000000100070250
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                                    00000000777a2190 5 bytes JMP 0000000100070490
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                           00000000777a21a0 5 bytes JMP 00000001000704a0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                                      00000000777a21d0 5 bytes JMP 0000000100070300
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                                   00000000777a21e0 5 bytes JMP 0000000100070360
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                         00000000777a2240 5 bytes JMP 00000001000702a0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                                      00000000777a2290 5 bytes JMP 00000001000702c0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                         00000000777a22c0 5 bytes JMP 0000000100070380
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                          00000000777a22d0 5 bytes JMP 0000000100070340
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                                   00000000777a25c0 5 bytes JMP 0000000100070440
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                                  00000000777a27c0 5 bytes JMP 0000000100070260
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                                     00000000777a27d0 5 bytes JMP 0000000100070270
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                   00000000777a27e0 5 bytes JMP 0000000100070400
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                               00000000777a29a0 5 bytes JMP 00000001000701f0
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                                00000000777a29b0 5 bytes JMP 0000000100070210
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                                     00000000777a2a20 5 bytes JMP 0000000100070200
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                                     00000000777a2a80 5 bytes JMP 0000000100070420
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                                      00000000777a2a90 5 bytes JMP 0000000100070430
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                                 00000000777a2aa0 5 bytes JMP 0000000100070220
.text    C:\windows\Explorer.EXE[3732] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                         00000000777a2b80 5 bytes JMP 0000000100070280
.text    C:\windows\Explorer.EXE[3732] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                              000000007758ef8d 1 byte [62]
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\svchost.exe[3828] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3768] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                      000000007758ef8d 1 byte [62]
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                        00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                 00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                      00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent
         

Alt 09.04.2015, 12:49   #8
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

gmer 4



Code:
ATTFilter
00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                 00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                             00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                     00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                    00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                             00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                          00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                             00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                 00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                          00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                             00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                             00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                             00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                    00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                               00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                            00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                  00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                               00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                  00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                   00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                            00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                           00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                              00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                         00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                              00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                              00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                               00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                  00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3792] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                       000000007758ef8d 1 byte [62]
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                         00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                  00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                  00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                       00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                             00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                  00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                           00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                              00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                    00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                  00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                 00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                              00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                 00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                      00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                     00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                              00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                           00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                 00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                              00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                               00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                  00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                           00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                              00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                   00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                              00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                              00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                     00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                             00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                   00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                   00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                    00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                             00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                            00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                               00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                             00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                         00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                          00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                               00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                               00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                           00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                   00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3948] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                        000000007758ef8d 1 byte [62]
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe[3940] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                      000000007758ef8d 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                         00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                  00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                  00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                       00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                             00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                  00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                           00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                              00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                    00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                  00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                 00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                              00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                 00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                      00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                     00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                              00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                           00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                 00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                              00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                               00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                  00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                           00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                              00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                   00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                              00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                              00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                     00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                             00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                   00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                   00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                    00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                             00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                            00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                               00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                             00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                         00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                          00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                               00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                               00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                           00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                   00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe[3428] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                        000000007758ef8d 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                           00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                    00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                    00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                         00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                               00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                    00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                             00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                      00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                    00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                  00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                   00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                   00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                        00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                       00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                             00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                   00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                 00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                    00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                             00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                     00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                       00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                  00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                               00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                     00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                  00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                     00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                      00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                               00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                              00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                 00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                               00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                           00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                            00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                 00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                 00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                  00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                             00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                     00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                  0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                          000000007758ef8d 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                              000007fefd828ef0 5 bytes JMP 000007fffd7f00b8
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                              000007fefd82bfd0 5 bytes JMP 000007fffd7f0038
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\WINMM.dll!waveOutReset                                                                     000007fefb1da38c 5 bytes JMP 000007fefd7f02b8
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\WINMM.dll!waveOutPause                                                                     000007fefb1f4b60 5 bytes JMP 000007fefd7f0238
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\WINMM.dll!waveOutRestart                                                                   000007fefb1f4ba0 5 bytes JMP 000007fefd7f01b8
.text    C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[4100] C:\windows\system32\ole32.dll!CoCreateInstance                                                                 000007fefea37490 5 bytes JMP 000007fffd7f0138
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                       000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                     0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                       0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                     0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                     0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                        0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                 0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                        0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                 0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                       0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                            0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                     0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                       0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                          0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                       0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                     0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                 0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe[4152] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                 0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                 00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                          00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                          00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                               00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                   00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                      00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                            00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                          00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                         00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                             00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                      00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                   00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                         00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                      00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                          00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                   00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                      00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                      00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                      00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                             00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                        00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                     00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                           00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                        00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                           00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                            00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                     00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                    00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                       00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                     00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                  00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                       00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                        00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                           00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\system32\kernel32.dll!LoadLibraryW                                                        0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                000000007758ef8d 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                    000007fefd828ef0 5 bytes JMP 000007fffd7f00b8
.text    C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4228] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                    000007fefd82bfd0 5 bytes JMP 000007fffd7f0038
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                      00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                               00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                               00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                    00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                          00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                               00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                        00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                           00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                 00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                               00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                             00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                              00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                           00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                              00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                   00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                  00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                           00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                        00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                              00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                           00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                            00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                               00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                        00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                           00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                           00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                           00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                  00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                             00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                          00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                             00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                 00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                          00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                         00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                            00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                          00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                      00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                       00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                            00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                            00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                             00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                        00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4356] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                     000000007758ef8d 1 byte [62]
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                   00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                            00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                            00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                 00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                       00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                            00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                     00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                        00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                              00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                            00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                          00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                           00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                        00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                           00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                               00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                        00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                     00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                           00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                        00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                         00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                            00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                     00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                        00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                             00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                        00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                        00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                               00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                          00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                       00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                             00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                          00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                             00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                              00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                       00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                      00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                         00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                       00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                   00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                    00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                         00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                         00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                          00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                     00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                             00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                          0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                  000000007758ef8d 1 byte [62]
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                      000007fefd828ef0 5 bytes JMP 000007fffd7f00b8
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                                      000007fefd82bfd0 5 bytes JMP 000007fffd7f0038
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\ole32.dll!CoCreateInstance                                                                         000007fefea37490 5 bytes JMP 000007fffd7f0138
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\WINMM.dll!waveOutReset                                                                             000007fefb1da38c 5 bytes JMP 000007fefd7f02b8
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\WINMM.dll!waveOutPause                                                                             000007fefb1f4b60 5 bytes JMP 000007fefd7f0238
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\WINMM.dll!waveOutRestart                                                                           000007fefb1f4ba0 5 bytes JMP 000007fefd7f01b8
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\DDRAW.dll!DirectDrawCreate                                                                         000007fef673815c 5 bytes JMP 000007fefd7f0338
.text    C:\Program Files\Logitech Gaming Software\LCore.exe[4388] C:\windows\system32\DDRAW.dll!DirectDrawCreateEx                                                                       000007fef6738968 5 bytes JMP 000007fefd7f03b8
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                          00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                   00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                   00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                        00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                              00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                   00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                            00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                               00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                     00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                   00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                 00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                  00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                               00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                  00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                       00000000777a1b00 5 bytes JMP 0000000077900480
         

Alt 09.04.2015, 12:51   #9
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

gmer 5



Code:
ATTFilter
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                      00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                               00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                            00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                  00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                               00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                   00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                            00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                               00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                    00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                               00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                               00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                      00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                 00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                              00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                    00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                 00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                    00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                     00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                              00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                             00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                              00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                          00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                           00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                 00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                            00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                    00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                                 0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                         000000007758ef8d 1 byte [62]
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                             000007fefd828ef0 5 bytes JMP 000007fffd8100b8
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                                             000007fefd82bfd0 5 bytes JMP 000007fffd810038
.text    C:\Program Files\Windows Sidebar\sidebar.exe[4548] C:\windows\system32\ole32.dll!CoCreateInstance                                                                                000007fefea37490 5 bytes JMP 000007fffd810138
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\kernel32.dll!LoadLibraryExA                                                            00000000772048db 5 bytes JMP 00000001100027c0
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\kernel32.dll!LoadLibraryW                                                              00000000772048f3 5 bytes JMP 00000001100028a0
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\kernel32.dll!LoadLibraryExW                                                            0000000077204925 5 bytes JMP 0000000110002830
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                      000000007722a2fd 1 byte [62]
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\ole32.dll!CoCreateInstance                                                             00000000756f9d0b 5 bytes JMP 0000000110002900
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                    0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                      0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                    0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                    0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                       0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                       0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                      0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                           0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                    0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                      0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                         0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                      0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                    0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4584] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                 00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                          00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                          00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                               00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                   00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                      00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                            00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                          00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                         00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                             00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                      00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                   00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                         00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                      00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                          00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                   00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                      00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                      00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                      00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                             00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                        00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                     00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                           00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                        00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                           00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                            00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                     00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                    00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                       00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                     00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                  00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                       00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                        00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                           00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                        0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                000000007758ef8d 1 byte [62]
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                    000007fefd828ef0 5 bytes JMP 000007fffd7f00b8
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                                    000007fefd82bfd0 5 bytes JMP 000007fffd7f0038
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\system32\WINMM.dll!waveOutReset                                                                           000007fefb1da38c 5 bytes JMP 000007fefd7f02b8
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\system32\WINMM.dll!waveOutPause                                                                           000007fefb1f4b60 5 bytes JMP 000007fefd7f0238
.text    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4660] C:\windows\system32\WINMM.dll!waveOutRestart                                                                         000007fefb1f4ba0 5 bytes JMP 000007fefd7f01b8
.text    C:\Program Files\Windows Media Player\wmpnetwk.exe[4700] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                   000000007758ef8d 1 byte [62]
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExA                                              00000000772048db 5 bytes JMP 00000001100027c0
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\KERNEL32.dll!LoadLibraryW                                                00000000772048f3 5 bytes JMP 00000001100028a0
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExW                                              0000000077204925 5 bytes JMP 0000000110002830
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                        000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\ole32.dll!CoCreateInstance                                               00000000756f9d0b 5 bytes JMP 0000000110002900
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                      0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                        0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                      0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                      0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\KERNEL32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                         0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                  0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                         0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                  0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                        0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                             0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                      0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                        0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                           0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                        0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                      0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                  0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4780] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                  0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                            00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                     00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                     00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                          00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                     00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                              00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                 00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                       00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                     00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                   00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                    00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                 00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                    00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                         00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                        00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                 00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                              00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                    00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                 00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                  00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                     00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                              00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                 00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                      00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                 00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                 00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                        00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                   00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                      00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                   00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                      00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                       00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                               00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                  00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                            00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                             00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                  00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                  00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                   00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                              00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                      00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\system32\KERNEL32.dll!LoadLibraryW                                                                   0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                                           000000007758ef8d 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                               000007fefd828ef0 5 bytes JMP 000007fffd8100b8
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                               000007fefd82bfd0 5 bytes JMP 000007fffd810038
.text    C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[4888] C:\windows\system32\ole32.dll!CoCreateInstance                                                                  000007fefea37490 5 bytes JMP 000007fffd810138
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                             00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                      00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                      00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                           00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                 00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                      00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                               00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                  00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                        00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                      00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                    00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                     00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                  00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                     00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                          00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                         00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                  00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                               00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                     00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                  00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                   00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                      00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                               00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                  00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                       00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                  00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                  00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                         00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                    00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                 00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                       00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                    00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                       00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                        00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                 00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                   00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                 00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                             00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                              00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                   00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                   00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                    00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                               00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                       00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\system32\kernel32.dll!LoadLibraryW                                                    0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                            000000007758ef8d 1 byte [62]
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                000007fefd828ef0 5 bytes JMP 000007fffd8100b8
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                000007fefd82bfd0 5 bytes JMP 000007fffd810038
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe[4952] C:\windows\system32\ole32.dll!CoCreateInstance                                                   000007fefea37490 5 bytes JMP 000007fffd810138
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\System32\svchost.exe[5104] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                              000000007722a2fd 1 byte [62]
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                            0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                              0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                            0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                            0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                               0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                        0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                               0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                        0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                              0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                   0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                            0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                              0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                 0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                              0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                            0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                        0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\ProgramData\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe[4288] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                        0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\kernel32.dll!LoadLibraryExA                                                                        00000000772048db 5 bytes JMP 00000001100027c0
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\kernel32.dll!LoadLibraryW                                                                          00000000772048f3 5 bytes JMP 00000001100028a0
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\kernel32.dll!LoadLibraryExW                                                                        0000000077204925 5 bytes JMP 0000000110002830
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                  000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\ole32.dll!CoCreateInstance                                                                         00000000756f9d0b 5 bytes JMP 0000000110002900
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                  0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                   0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                            0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                   0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                            0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                  0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                       0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                  0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                     0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                  0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                            0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[4272] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                            0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\kernel32.dll!LoadLibraryExA                                            00000000772048db 5 bytes JMP 00000001003927c0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\kernel32.dll!LoadLibraryW                                              00000000772048f3 5 bytes JMP 00000001003928a0
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\kernel32.dll!LoadLibraryExW                                            0000000077204925 5 bytes JMP 0000000100392830
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                      000000007722a2fd 1 byte [62]
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\ole32.dll!CoCreateInstance                                             00000000756f9d0b 5 bytes JMP 0000000100392900
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                    0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                      0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                    0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                    0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                       0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                       0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                      0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                           0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                    0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                      0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                         0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                      0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                    0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\kernel32.dll!LoadLibraryExA                                                                         00000000772048db 5 bytes JMP 00000001002e27c0
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\kernel32.dll!LoadLibraryW                                                                           00000000772048f3 5 bytes JMP 00000001002e28a0
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\kernel32.dll!LoadLibraryExW                                                                         0000000077204925 5 bytes JMP 00000001002e2830
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                   000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                 0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                   0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                 0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                 0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                    0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                             0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                    0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                             0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                   0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                        0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                 0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                   0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                      0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                   0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                 0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                             0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                             0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4652] C:\windows\syswow64\ole32.dll!CoCreateInstance                                                                          00000000756f9d0b 5 bytes JMP 00000001002e2900
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900]
         

Alt 09.04.2015, 12:54   #10
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

gmer 6



Code:
ATTFilter
C:\windows\syswow64\kernel32.dll!LoadLibraryExA                                                             00000000772048db 5 bytes JMP 00000001100027c0
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\kernel32.dll!LoadLibraryW                                                               00000000772048f3 5 bytes JMP 00000001100028a0
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\kernel32.dll!LoadLibraryExW                                                             0000000077204925 5 bytes JMP 0000000110002830
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                       000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\ole32.dll!CoCreateInstance                                                              00000000756f9d0b 5 bytes JMP 0000000110002900
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                     0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                       0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                     0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                     0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                        0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                 0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                        0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                 0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                       0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                            0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                     0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                       0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                          0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                       0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                     0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                 0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2900] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                 0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\kernel32.dll!LoadLibraryExA                                                                00000000772048db 5 bytes JMP 00000001100027c0
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\kernel32.dll!LoadLibraryW                                                                  00000000772048f3 5 bytes JMP 00000001100028a0
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\kernel32.dll!LoadLibraryExW                                                                0000000077204925 5 bytes JMP 0000000110002830
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                          000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                        0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                          0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                        0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                        0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                           0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                    0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                           0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                    0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                          0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                               0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                        0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                          0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                             0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                          0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                        0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                    0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                    0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe[2852] C:\windows\syswow64\ole32.dll!CoCreateInstance                                                                 00000000756f9d0b 5 bytes JMP 0000000110002900
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\kernel32.dll!LoadLibraryExA                                                                             00000000772048db 5 bytes JMP 00000001100027c0
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\kernel32.dll!LoadLibraryW                                                                               00000000772048f3 5 bytes JMP 00000001100028a0
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\kernel32.dll!LoadLibraryExW                                                                             0000000077204925 5 bytes JMP 0000000110002830
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                       000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\ole32.dll!CoCreateInstance                                                                              00000000756f9d0b 5 bytes JMP 0000000110002900
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                     0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                       0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                     0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                     0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                        0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                 0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                        0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                 0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                       0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                            0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                     0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                       0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                          0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                       0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                     0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                 0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\iTunes\iTunesHelper.exe[2520] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                 0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                 00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                          00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                          00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                               00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                   00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                      00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                            00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                          00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                         00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                             00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                      00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                   00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                         00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                      00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                          00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                   00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                      00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                      00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                      00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                             00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                        00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                     00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                           00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                        00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                           00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                            00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                     00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                    00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                       00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                     00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                  00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                       00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                        00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\wbem\wmiprvse.exe[2600] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                           00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter                                                             0000000077208791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                    000000007722a2fd 1 byte [62]
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                  0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                    0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                  0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                  0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                     0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                              0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                     0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                              0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                    0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                         0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                  0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                    0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                       0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                    0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                  0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                              0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\AVAST Software\Avast\avastui.exe[3228] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                              0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                             00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                      00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                      00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                           00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                 00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                      00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                               00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                  00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                        00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                      00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                    00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                     00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                  00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                     00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                          00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                         00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                  00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                               00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                     00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                  00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                   00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                      00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                               00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                  00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                       00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                  00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                  00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                         00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                    00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                 00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                       00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                    00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                       00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                        00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                 00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                   00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                 00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                             00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                              00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                   00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                   00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                    00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                               00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\Program Files\iPod\bin\iPodService.exe[5620] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                       00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\Program Files\iPod\bin\iPodService.exe[1768] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                            000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                   00000000777a1360 5 bytes JMP 00000001002a0460
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                            00000000777a13b0 5 bytes JMP 00000001002a0450
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                            00000000777a1510 5 bytes JMP 00000001002a0370
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                 00000000777a1560 5 bytes JMP 00000001002a0470
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                       00000000777a1570 5 bytes JMP 00000001002a03e0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                            00000000777a1620 5 bytes JMP 00000001002a0320
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                     00000000777a1650 5 bytes JMP 00000001002a03b0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                        00000000777a1670 5 bytes JMP 00000001002a0390
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                              00000000777a16b0 5 bytes JMP 00000001002a02e0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                            00000000777a1730 5 bytes JMP 00000001002a02d0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                          00000000777a1750 5 bytes JMP 00000001002a0310
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                           00000000777a1790 5 bytes JMP 00000001002a03c0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                        00000000777a17e0 5 bytes JMP 00000001002a03f0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                           00000000777a1940 5 bytes JMP 00000001002a0230
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                00000000777a1b00 5 bytes JMP 00000001002a0480
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                               00000000777a1b30 5 bytes JMP 00000001002a03a0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                        00000000777a1c10 5 bytes JMP 00000001002a02f0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                     00000000777a1c20 5 bytes JMP 00000001002a0350
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                           00000000777a1c80 5 bytes JMP 00000001002a0290
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                        00000000777a1d10 5 bytes JMP 00000001002a02b0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                         00000000777a1d30 5 bytes JMP 00000001002a03d0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                            00000000777a1d40 5 bytes JMP 00000001002a0330
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                     00000000777a1db0 5 bytes JMP 00000001002a0410
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                        00000000777a1de0 5 bytes JMP 00000001002a0240
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                             00000000777a20a0 5 bytes JMP 00000001002a01e0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                        00000000777a2160 5 bytes JMP 00000001002a0250
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                        00000000777a2190 5 bytes JMP 00000001002a0490
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                               00000000777a21a0 5 bytes JMP 00000001002a04a0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                          00000000777a21d0 5 bytes JMP 00000001002a0300
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                       00000000777a21e0 5 bytes JMP 00000001002a0360
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                             00000000777a2240 5 bytes JMP 00000001002a02a0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                          00000000777a2290 5 bytes JMP 00000001002a02c0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                             00000000777a22c0 5 bytes JMP 00000001002a0380
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                              00000000777a22d0 5 bytes JMP 00000001002a0340
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                       00000000777a25c0 5 bytes JMP 00000001002a0440
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                      00000000777a27c0 5 bytes JMP 00000001002a0260
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                         00000000777a27d0 5 bytes JMP 00000001002a0270
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                       00000000777a27e0 5 bytes JMP 00000001002a0400
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                   00000000777a29a0 5 bytes JMP 00000001002a01f0
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                    00000000777a29b0 5 bytes JMP 00000001002a0210
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                         00000000777a2a20 5 bytes JMP 00000001002a0200
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                         00000000777a2a80 5 bytes JMP 00000001002a0420
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                          00000000777a2a90 5 bytes JMP 00000001002a0430
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                     00000000777a2aa0 5 bytes JMP 00000001002a0220
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                             00000000777a2b80 5 bytes JMP 00000001002a0280
.text    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5528] C:\windows\system32\ole32.dll!CoCreateInstance                                                         000007fefea37490 5 bytes JMP 000007fffd810138
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                 00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                          00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                          00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                               00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                   00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                      00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                            00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                          00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                         00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                             00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                      00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                   00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                         00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                      00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                          00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                   00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                      00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                      00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                      00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                             00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                        00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                     00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                           00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                        00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                           00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                            00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                     00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                    00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                       00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                     00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                  00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                       00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                        00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                           00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                                        0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                000000007758ef8d 1 byte [62]
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                    000007fefd828ef0 5 bytes JMP 000007fffd8100b8
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                                                    000007fefd82bfd0 5 bytes JMP 000007fffd810038
.text    C:\windows\system32\wbem\unsecapp.exe[3048] C:\windows\system32\ole32.dll!CoCreateInstance                                                                                       000007fefea37490 5 bytes JMP 000007fffd810138
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4252] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                  000000007722a2fd 1 byte [62]
.text    c:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe[5336] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                  000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                       000000007722a2fd 1 byte [62]
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                     0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                       0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                     0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                     0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                        0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                 0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                        0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                 0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                       0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                            0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                     0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                       0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                          0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                       0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                     0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                 0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5452] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                 0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                       00000000777a1360 5 bytes JMP 0000000077900460
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject                                                                                                00000000777a13b0 5 bytes JMP 0000000077900450
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                00000000777a1510 5 bytes JMP 0000000077900370
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                     00000000777a1560 5 bytes JMP 0000000077900470
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                           00000000777a1570 5 bytes JMP 00000000779003e0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                                00000000777a1620 5 bytes JMP 0000000077900320
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                         00000000777a1650 5 bytes JMP 00000000779003b0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                            00000000777a1670 5 bytes JMP 0000000077900390
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent                                                                                                  00000000777a16b0 5 bytes JMP 00000000779002e0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                                                                00000000777a1730 5 bytes JMP 00000000779002d0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                              00000000777a1750 5 bytes JMP 0000000077900310
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                               00000000777a1790 5 bytes JMP 00000000779003c0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                            00000000777a17e0 5 bytes JMP 00000000779003f0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry                                                                                               00000000777a1940 5 bytes JMP 0000000077900230
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                    00000000777a1b00 5 bytes JMP 0000000077900480
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject                                                                                   00000000777a1b30 5 bytes JMP 00000000779003a0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair                                                                                            00000000777a1c10 5 bytes JMP 00000000779002f0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion                                                                                         00000000777a1c20 5 bytes JMP 0000000077900350
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                               00000000777a1c80 5 bytes JMP 0000000077900290
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                                                            00000000777a1d10 5 bytes JMP 00000000779002b0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                             00000000777a1d30 5 bytes JMP 00000000779003d0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer                                                                                                00000000777a1d40 5 bytes JMP 0000000077900330
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess                                                                                         00000000777a1db0 5 bytes JMP 0000000077900410
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry                                                                                            00000000777a1de0 5 bytes JMP 0000000077900240
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                                 00000000777a20a0 5 bytes JMP 00000000779001e0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry                                                                                            00000000777a2160 5 bytes JMP 0000000077900250
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey                                                                                            00000000777a2190 5 bytes JMP 0000000077900490
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                   00000000777a21a0 5 bytes JMP 00000000779004a0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair                                                                                              00000000777a21d0 5 bytes JMP 0000000077900300
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion                                                                                           00000000777a21e0 5 bytes JMP 0000000077900360
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant                                                                                                 00000000777a2240 5 bytes JMP 00000000779002a0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore                                                                                              00000000777a2290 5 bytes JMP 00000000779002c0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread                                                                                                 00000000777a22c0 5 bytes JMP 0000000077900380
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer                                                                                                  00000000777a22d0 5 bytes JMP 0000000077900340
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx                                                                                           00000000777a25c0 5 bytes JMP 0000000077900440
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder                                                                                          00000000777a27c0 5 bytes JMP 0000000077900260
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions                                                                                             00000000777a27d0 5 bytes JMP 0000000077900270
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                           00000000777a27e0 5 bytes JMP 0000000077900400
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                       00000000777a29a0 5 bytes JMP 00000000779001f0
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState                                                                                        00000000777a29b0 5 bytes JMP 0000000077900210
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                             00000000777a2a20 5 bytes JMP 0000000077900200
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                                             00000000777a2a80 5 bytes JMP 0000000077900420
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                                              00000000777a2a90 5 bytes JMP 0000000077900430
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                         00000000777a2aa0 5 bytes JMP 0000000077900220
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                                 00000000777a2b80 5 bytes JMP 0000000077900280
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\system32\kernel32.dll!LoadLibraryW                                                                                              0000000077546440 5 bytes JMP 0000000169ff0038
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189                                                                                      000000007758ef8d 1 byte [62]
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                                          000007fefd828ef0 5 bytes JMP 000007fffd8100b8
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA                                                                                          000007fefd82bfd0 5 bytes JMP 000007fffd810038
.text    C:\windows\system32\wuauclt.exe[1792] C:\windows\system32\ole32.dll!CoCreateInstance                                                                                             000007fefea37490 5 bytes JMP 000007fffd810138
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                                               000000007722a2fd 1 byte [62]
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                             0000000075c21401 2 bytes JMP 7722b21b C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                               0000000075c21419 2 bytes JMP 7722b346 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                             0000000075c21431 2 bytes JMP 772a8ea9 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                             0000000075c2144a 2 bytes CALL 772048ad C:\windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                              * 9
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                0000000075c214dd 2 bytes JMP 772a87a2 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                         0000000075c214f5 2 bytes JMP 772a8978 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                0000000075c2150d 2 bytes JMP 772a8698 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                         0000000075c21525 2 bytes JMP 772a8a62 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                               0000000075c2153d 2 bytes JMP 7721fca8 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                    0000000075c21555 2 bytes JMP 772268ef C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                             0000000075c2156d 2 bytes JMP 772a8f61 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                               0000000075c21585 2 bytes JMP 772a8ac2 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                  0000000075c2159d 2 bytes JMP 772a865c C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                               0000000075c215b5 2 bytes JMP 7721fd41 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                             0000000075c215cd 2 bytes JMP 7722b2dc C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                         0000000075c216b2 2 bytes JMP 772a8e24 C:\windows\syswow64\kernel32.dll
.text    C:\Users\User\Downloads\Gmer-19357.exe[6268] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                         0000000075c216bd 2 bytes JMP 772a85f1 C:\windows\syswow64\kernel32.dll

---- Threads - GMER 2.1 ----

Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [4700:4476]                                                                                                                   000007fef6da2bf8
---- Processes - GMER 2.1 ----

Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\windows\system32\taskhost.exe [1936](2015-04-06 12:05:28)                                                 000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhrywac.exe (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhrywac.exe [2868]                                                          0000000000400000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhryaac.exe (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhryaac.exe [2908]                                                          00000000003c0000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\windows\system32\Dwm.exe [3724](2015-04-06 12:05:28)                                                      000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [3732](2015-04-06 12:05:28)                                                          000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [3768](2015-04-06 12:0                                       000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [3792](2015-04-06 12:05:                                      000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3948](2015-04-06 12:05:28                                     000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Synaptics\SynTP\SynBtnAsst.exe [3940](2015-04-06 12:0                                       000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [3428](2015-04-06 12:05:28)                    000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4100](2015-04-06 12:05:28)                      000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe [4152](2015-04-06 12:05:52)                   0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [4228](2015-04-06 12:05:28)            000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Synaptics\SynTP\SynTPHelper.exe [4356](2015-04-06 12                                        000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Logitech Gaming Software\LCore.exe [4388](2015-04                                           000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Windows Sidebar\sidebar.exe [4548](2015-04-06 12:05:28)                                     000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [4584](2015-04-06 12:05:52)                  0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe [4660](201                                             000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [4780](2015-04-06 12:05:52)    0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe [4888](2015-04-06 12:05:28)                       000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe [4952](2015-04-06 12:05:28)        000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4960](2015-04-06 12:05:28)              000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [4272](2015-04                                           0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe [4332](2015-04-06 12:05:52)  0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [4652](2015-04-0                                          0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2900](2015-04-06 12:05:52)                   0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2852](2015-04-06 12:05:52)                      0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Program Files (x86)\iTunes\iTunesHelper.exe [2520](2015-04-06 12:05:                                      0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.exe (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.exe [5932]                                                          000000013fb50000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.exe [5932](2015-04-06 12:05:28)                                     000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.exe (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.exe [4372]                                                          0000000000ba0000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.exe [4372](2015-04-06 12:05:52)                                     0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhrydac.exe (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhrydac.exe [1768]                                                          0000000001330000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhrydacu.dll (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhrydac.exe [1768]                                                         00000000656f0000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\ProgramData\eazyzoom\1.1.0.30\jhrydac.exe [1768](2015-04-06 12:05:52)                                     0000000065770000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [5528](2015-04-06 12:05:28)              000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\windows\system32\wbem\unsecapp.exe [3048](2015-04-06 12:05:28)                                            000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry6ac.dll (*** suspicious ***) @ C:\windows\system32\wuauclt.exe [1792](2015-04-06 12:05:28)                                                  000007feed820000
Library  C:\ProgramData\eazyzoom\1.1.0.30\jhry3ac.dll (*** suspicious ***) @ C:\Users\User\Downloads\Gmer-19357.exe [6268](2015-04-06 12:05:52)                                           0000000065770000

---- Services - GMER 2.1 ----

Service  C:\ProgramData\eazyzoom\1.1.0.30\jhrywac.exe (*** hidden *** )                                                                                                                   [AUTO] isazpav                                                            <-- ROOTKIT !!!
Service  C:\ProgramData\eazyzoom\1.1.0.30\jhryaac.exe (*** hidden *** )                                                                                                                   [AUTO] jimshle                                                            <-- ROOTKIT !!!
Service  C:\windows\system32\Drivers\tammgF119.sys (*** hidden *** )                                                                                                                      [SYSTEM] tammgF119                                                        <-- ROOTKIT !!!
Service  C:\windows\system32\Drivers\tammgR119.sys (*** hidden *** )                                                                                                                      [SYSTEM] tammgR119                                                        <-- ROOTKIT !!!

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tammgF119.sys@                                                                                                            Driver
Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tammgR119.sys@                                                                                                            Driver
Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tammgF119.sys@                                                                                                            Driver
Reg      HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tammgR119.sys@                                                                                                            Driver
Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88                                                                                                      
Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46afcfaa0                                                                                                      
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav@Type                                                                                                                              16
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav@Start                                                                                                                             2
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav@ErrorControl                                                                                                                      1
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav@ImagePath                                                                                                                         "C:\ProgramData\eazyzoom\1.1.0.30\jhrywac.exe" -scm
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav@DisplayName                                                                                                                       isazpav
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav@WOW64                                                                                                                             1
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav@ObjectName                                                                                                                        LocalSystem
Reg      HKLM\SYSTEM\CurrentControlSet\services\isazpav                                                                                                                                   
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle@Type                                                                                                                              16
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle@Start                                                                                                                             2
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle@ErrorControl                                                                                                                      1
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle@ImagePath                                                                                                                         "C:\ProgramData\eazyzoom\1.1.0.30\jhryaac.exe" /ts2=1
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle@DisplayName                                                                                                                       jimshle
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle@WOW64                                                                                                                             1
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle@ObjectName                                                                                                                        LocalSystem
Reg      HKLM\SYSTEM\CurrentControlSet\services\jimshle                                                                                                                                   
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@Type                                                                                                                            2
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@Start                                                                                                                           1
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@ErrorControl                                                                                                                    1
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@ImagePath                                                                                                                       \??\C:\windows\system32\Drivers\tammgF119.sys
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@DisplayName                                                                                                                     tammgF119 service
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@Group                                                                                                                           FSFilter Activity Monitor
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@DependOnService                                                                                                                 FltMgr?
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119@WOW64                                                                                                                           1
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119\Instances                                                                                                                       
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119\Instances@DefaultInstance                                                                                                       tammgF119 Instance
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119\Instances\tammgF119 Instance                                                                                                    
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119\Instances\tammgF119 Instance@Altitude                                                                                           370034
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119\Instances\tammgF119 Instance@Flags                                                                                              0
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgF119                                                                                                                                 
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgR119@Type                                                                                                                            1
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgR119@Start                                                                                                                           1
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgR119@ErrorControl                                                                                                                    1
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgR119@ImagePath                                                                                                                       \??\C:\windows\system32\Drivers\tammgR119.sys
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgR119@DisplayName                                                                                                                     tammgR119 service
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgR119@WOW64                                                                                                                           1
Reg      HKLM\SYSTEM\CurrentControlSet\services\tammgR119                                                                                                                                 
Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)                                                                                  
Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46afcfaa0 (not active ControlSet)                                                                                  

---- EOF - GMER 2.1 ----
         

Alt 09.04.2015, 18:01   #11
schrauber
/// the machine
/// TB-Ausbilder
 

Adware.SpeedingUp Virus Werbebanner Firefox - Standard

Adware.SpeedingUp Virus Werbebanner Firefox



hi,

Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 09.04.2015, 18:44   #12
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

Adware.SpeedingUp Virus Werbebanner Firefox



Hallo Schrauber,

ich komme gar nicht zum ausführen, da die Datei wohl beim downloaden beschädigt wird(?).

Wenn ich auf den Link klicke, meldet Avast nach Abschluss, dass eine Infektion über diesem Link soeben blockiert wurde.
Nach download habe ich Avast wie angewiesen deaktiviert, allerdings ließ sich die Datei aus oben genanntem Grund nicht mehr starten.
Soll ich nun Avast vor dem Download deaktivieren? Oder lasse ich damit tatsächlich ein Virus in mein System?

Gruß,
Pauskar

Alt 10.04.2015, 07:58   #13
schrauber
/// the machine
/// TB-Ausbilder
 

Adware.SpeedingUp Virus Werbebanner Firefox - Standard

Adware.SpeedingUp Virus Werbebanner Firefox



Avast vorher deaktivieren, ja
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 10.04.2015, 13:59   #14
Pauskar
 
Adware.SpeedingUp Virus Werbebanner Firefox - Standard

combofix



Code:
ATTFilter
ComboFix 15-04-09.01 - User 10.04.2015  14:20:34.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.8125.5421 [GMT 2:00]
ausgeführt von:: c:\users\User\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: avast! Antivirus *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\User\AppData\Roaming\systweak\ssd\SSDPTstub.exe
c:\windows\s.bat
c:\windows\shost.bin
.
.
(((((((((((((((((((((((   Dateien erstellt von 2015-03-10 bis 2015-04-10  ))))))))))))))))))))))))))))))
.
.
2015-04-10 12:38 . 2015-04-10 12:38	--------	d-----w-	c:\users\Default\AppData\Local\temp
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-----w-	c:\program files (x86)\MyPCBU
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-sh--w-	c:\users\User\AppData\Local\EmieUserList
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-sh--w-	c:\users\User\AppData\Local\EmieSiteList
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-sh--w-	c:\users\User\AppData\Local\EmieBrowserModeList
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-----w-	c:\users\User\AppData\Roaming\moters
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-----w-	c:\programdata\LolliScan
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-----w-	c:\users\User\AppData\Roaming\lection
2015-04-10 00:43 . 2015-04-10 12:11	--------	d-----w-	c:\users\User\AppData\Local\mbot_de_589
2015-04-10 00:43 . 2015-04-10 00:43	--------	d-----w-	c:\program files (x86)\mbot_de_589
2015-04-10 00:42 . 2015-04-10 00:42	--------	d-----w-	c:\program files (x86)\WindowsScan
2015-04-10 00:42 . 2015-04-10 00:42	--------	d-----w-	c:\program files (x86)\app_setup
2015-04-10 00:41 . 2015-04-10 00:41	--------	d-----w-	c:\program files (x86)\Win_Scan
2015-04-09 15:34 . 2015-04-09 15:34	364472	----a-w-	c:\windows\system32\aswBoot.exe
2015-04-09 15:34 . 2015-04-09 15:34	43112	----a-w-	c:\windows\avastSS.scr
2015-04-09 15:33 . 2015-04-09 15:33	449896	----a-w-	c:\windows\system32\drivers\aswNdisFlt.sys
2015-04-09 15:30 . 2015-04-09 15:30	--------	d-----w-	c:\users\User\Tracing
2015-04-08 22:04 . 2015-04-08 22:04	--------	d-----w-	c:\program files (x86)\Common Files\Java
2015-04-08 20:50 . 2015-04-08 20:51	--------	d-----w-	C:\FRST
2015-04-06 14:30 . 2015-04-06 14:31	--------	d-----w-	c:\users\User\AppData\Local\Opera Software
2015-04-06 14:30 . 2015-04-06 14:31	--------	d-----w-	c:\users\User\AppData\Roaming\Opera Software
2015-04-06 14:25 . 2015-04-06 14:31	--------	d-----w-	c:\program files (x86)\Opera
2015-04-06 14:23 . 2015-04-06 14:25	--------	d-----w-	c:\users\User\AppData\Roaming\00000000-1428330225-0000-0000-000000000000
2015-04-04 11:15 . 2015-04-04 11:16	--------	d-s---w-	c:\windows\system32\GWX
2015-04-04 11:15 . 2015-04-04 11:15	--------	d-s---w-	c:\windows\SysWow64\GWX
2015-04-03 10:49 . 2015-03-14 10:02	12002392	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{202C22E6-6BFA-4EFA-8FC5-52EBC7AC4D64}\mpengine.dll
2015-04-02 18:13 . 2015-04-02 18:13	--------	d-----w-	c:\programdata\482632dc000026a9
2015-04-02 18:10 . 2015-04-02 18:10	--------	d-----w-	c:\users\User\AppData\Roaming\dlg
2015-04-02 18:05 . 2015-04-08 19:52	--------	d-----w-	c:\programdata\{559aac06-3e54-c069-559a-aac063e5b018}
2015-04-02 18:05 . 2015-04-02 19:20	--------	d-----w-	c:\users\User\AppData\Roaming\Steganos VPN
2015-04-02 18:04 . 2015-04-02 19:22	--------	d-----w-	c:\users\User\AppData\Roaming\Steganos
2015-04-02 18:04 . 2015-04-02 18:04	--------	d-----w-	c:\program files (x86)\Common Files\Steganos
2015-04-02 18:04 . 2015-04-02 19:22	--------	d-----w-	c:\program files (x86)\OkayFreedom
2015-04-02 18:03 . 2015-04-02 18:03	--------	d-----w-	c:\program files (x86)\WEB.DE MailCheck
2015-03-12 10:59 . 2015-02-20 04:41	41984	----a-w-	c:\windows\system32\lpk.dll
2015-03-12 10:59 . 2015-02-20 04:40	100864	----a-w-	c:\windows\system32\fontsub.dll
2015-03-12 10:59 . 2015-02-20 04:40	14336	----a-w-	c:\windows\system32\dciman32.dll
2015-03-12 10:59 . 2015-02-20 04:40	46080	----a-w-	c:\windows\system32\atmlib.dll
2015-03-12 10:59 . 2015-02-20 04:13	70656	----a-w-	c:\windows\SysWow64\fontsub.dll
2015-03-12 10:59 . 2015-02-20 04:13	10240	----a-w-	c:\windows\SysWow64\dciman32.dll
2015-03-12 10:59 . 2015-02-20 04:13	34304	----a-w-	c:\windows\SysWow64\atmlib.dll
2015-03-12 10:59 . 2015-02-20 04:12	25600	----a-w-	c:\windows\SysWow64\lpk.dll
2015-03-12 10:59 . 2015-02-20 03:29	372224	----a-w-	c:\windows\system32\atmfd.dll
2015-03-12 10:59 . 2015-02-20 03:09	299008	----a-w-	c:\windows\SysWow64\atmfd.dll
2015-03-11 16:39 . 2015-03-11 16:39	--------	d-----w-	c:\program files (x86)\The Creative Assembly
2015-03-11 14:41 . 2015-02-03 03:30	1202176	----a-w-	c:\windows\system32\drmv2clt.dll
2015-03-11 14:41 . 2015-02-03 03:30	842240	----a-w-	c:\windows\system32\blackbox.dll
2015-03-11 14:41 . 2015-02-03 03:12	744960	----a-w-	c:\windows\SysWow64\blackbox.dll
2015-03-11 14:41 . 2015-02-03 03:12	988160	----a-w-	c:\windows\SysWow64\drmv2clt.dll
2015-03-11 14:41 . 2015-02-03 03:31	14632960	----a-w-	c:\windows\system32\wmp.dll
2015-03-11 14:41 . 2015-02-03 03:31	782848	----a-w-	c:\windows\system32\wmdrmsdk.dll
2015-03-11 14:39 . 2015-02-03 03:31	215552	----a-w-	c:\windows\system32\ubpm.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-09 15:34 . 2014-09-08 15:04	136752	----a-w-	c:\windows\system32\drivers\aswStm.sys
2015-04-09 15:34 . 2014-09-08 15:04	29168	----a-w-	c:\windows\system32\drivers\aswHwid.sys
2015-04-09 15:34 . 2013-06-17 18:53	65736	----a-w-	c:\windows\system32\drivers\aswRvrt.sys
2015-04-09 15:34 . 2013-06-17 18:53	271200	----a-w-	c:\windows\system32\drivers\aswVmm.sys
2015-04-09 15:34 . 2012-05-28 01:51	442264	----a-w-	c:\windows\system32\drivers\aswSP.sys
2015-04-09 15:34 . 2012-05-28 01:51	93528	----a-w-	c:\windows\system32\drivers\aswRdr2.sys
2015-04-09 15:34 . 2012-05-28 01:51	88408	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys
2015-04-09 15:34 . 2012-05-28 08:38	28144	----a-w-	c:\windows\system32\drivers\aswKbd.sys
2015-04-09 15:34 . 2012-05-28 01:51	1047320	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2015-04-08 22:04 . 2015-03-02 17:40	98216	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2015-04-08 20:03 . 2012-05-28 01:13	778928	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2015-04-08 20:03 . 2012-05-16 15:56	142512	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-24 02:17 . 2012-07-08 11:25	295552	------w-	c:\windows\system32\MpSigStub.exe
2015-02-04 03:16 . 2015-02-11 15:26	609280	----a-w-	c:\windows\system32\generaltel.dll
2015-02-04 03:16 . 2015-02-11 15:26	762368	----a-w-	c:\windows\system32\invagent.dll
2015-02-04 03:16 . 2015-02-11 15:26	414720	----a-w-	c:\windows\system32\devinv.dll
2015-02-04 03:16 . 2015-02-11 15:26	894976	----a-w-	c:\windows\system32\appraiser.dll
2015-02-04 03:16 . 2015-02-11 15:26	227328	----a-w-	c:\windows\system32\aepdu.dll
2015-02-04 03:16 . 2015-02-11 15:26	192000	----a-w-	c:\windows\system32\aepic.dll
2015-02-04 03:13 . 2015-02-11 15:26	1098752	----a-w-	c:\windows\system32\aeinv.dll
2015-01-27 23:36 . 2015-02-11 15:26	1239720	----a-w-	c:\windows\system32\aitstatic.exe
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Spotify Web Helper"="c:\users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-09-26 1245752]
"GoogleChromeAutoLaunch_BCEA24321E5E4F1401136BBEDFB545FE"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2015-03-30 809288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-11-20 284696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 98304]
"MuteSync"="c:\progra~2\Lenovo\LENOVO~2\MuteSync.exe" [2009-12-28 336384]
"Lenovo SlideNav2"="c:\program files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlideNavVDM.exe" [2009-12-30 318400]
"Lenovo SplitScreen"="c:\program files\Lenovo\Lenovo SplitScreen\SplitScreen\AutoRunSpS.exe" [2010-04-01 778592]
"UCam_Menu"="c:\program files (x86)\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"YouCam Mirror Tray icon"="c:\program files (x86)\Lenovo\YouCam\YouCamTray.exe" [2010-02-03 167008]
"VeriFaceManager"="c:\program files (x86)\Lenovo\VeriFace\PManage.exe" [2012-05-11 3122528]
"UpdateP2GShortCut"="c:\program files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"tvncontrol"="c:\program files (x86)\Common Files\COMODO\GeekBuddyRSP.exe" [2013-10-11 2327248]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-11-01 152392]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-04-09 5512912]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2015-02-10 335232]
"mbot_de_589"="c:\program files (x86)\mbot_de_589\mbot_de_589.exe" [2015-04-07 3985040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"upmbot_de_589.exe"="c:\users\User\AppData\Local\mbot_de_589\upmbot_de_589.exe" [2015-04-07 3309712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 786760]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
hqghumeaylnlf.lnk - c:\programdata\{559aac06-3e54-c069-559a-aac063e5b018}\hqghumeaylnlf.exe /startup [2014-4-2 6382032]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2010-1-12 1082656]
Start GeekBuddy.lnk - c:\program files (x86)\Comodo\GeekBuddy\launcher.exe "unit_manager.exe" [2013-10-11 49360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys;c:\windows\SYSNATIVE\DRIVERS\CFRMD.sys [x]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys;c:\windows\SYSNATIVE\drivers\WDBridge.sys [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys;c:\windows\SYSNATIVE\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 cpuz134;cpuz134;c:\users\User\AppData\Local\Temp\cpuz134\cpuz134_x64.sys;c:\users\User\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 IGRS;IGRS;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe [x]
R4 CLPSLauncher;COMODO LPS Launcher;c:\program files (x86)\Common Files\COMODO\launcher_service.exe;c:\program files (x86)\Common Files\COMODO\launcher_service.exe [x]
S0 aswNdisFlt;Avast! Firewall Driver;c:\windows\system32\DRIVERS\aswNdisFlt.sys;c:\windows\SYSNATIVE\DRIVERS\aswNdisFlt.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 isazpav;isazpav;isazpav [x]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AnviCsbSvc;Anvi Cloud System Booster Speed Service;c:\program files (x86)\Anvisoft\Cloud System Booster\CSBSvc.exe;c:\program files (x86)\Anvisoft\Cloud System Booster\CSBSvc.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 avast! Firewall;Avast Firewall;c:\program files\AVAST Software\Avast\afwServ.exe;c:\program files\AVAST Software\Avast\afwServ.exe [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [x]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [x]
S2 GeekBuddyRSP;GeekBuddyRSP Server;c:\program files (x86)\Common Files\COMODO\GeekBuddyRSP.exe;c:\program files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys;c:\windows\SYSNATIVE\DRIVERS\AcpiVpc.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
IgrsSvcs	REG_MULTI_SZ   	ReadyComm.DirectRouter PS_MDP
<NO NAME>	REG_SZ         	
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-02 17:49	1061704	----a-w-	c:\program files (x86)\Google\Chrome\Application\41.0.2272.118\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2015-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 20:03]
.
2015-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-17 18:53]
.
2015-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-17 18:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-04-09 15:34	722400	----a-w-	c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2012-05-11 09:14	1502720	----a-w-	c:\windows\System32\IcnOvrly.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-23 10775072]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-04-23 2040352]
"OnekeyStudio"="c:\program files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe" [2009-12-19 776608]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2010-03-11 4448704]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2010-03-11 7056832]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2012-05-21 6868280]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = about:blank
mLocal Page = about:blank
mSearch Page = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
uInternet Settings,ProxyOverride = *.local
IE: Bild an &Bluetooth-Gerät senden... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Free YouTube to MP3 Converter - c:\program files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm
IE: Seite an &Bluetooth-Gerät senden... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\rfo4snbm.default-1428334381312\
FF - prefs.js: browser.search.defaulturl - hxxps://www.google.com/search
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxps://www.google.com/search
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - (no file)
BHO-{0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - (no file)
BHO-{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - (no file)
Toolbar-Locked - (no file)
Toolbar-{0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - (no file)
Wow6432Node-HKCU-Run-DriverUpdaterPro - c:\program files (x86)\oTweak\DriverUpdaterPro\DriverUpdaterPro.exe
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
BHO-{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SynBtnAsst - c:\program files (x86)\Synaptics\SynTP\SynBtnAsst.exe
AddRemove-{14803CA5-4974-4A33-82BC-3A2262F3A65A} - c:\programdata\eazyzoom\1.1.0.30\Uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\isazpav]
"ImagePath"="\"c:\programdata\eazyzoom\1.1.0.30\jhrywac.exe\" -scm"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\jimshle]
"ImagePath"="\"c:\programdata\eazyzoom\1.1.0.30\jhryaac.exe\" /ts2=1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\tammgF119]
"ImagePath"="\??\c:\windows\system32\Drivers\tammgF119.sys"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\tammgR119]
"ImagePath"="\??\c:\windows\system32\Drivers\tammgR119.sys"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_134_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_134_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.17"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_134.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2015-04-10  14:41:20
ComboFix-quarantined-files.txt  2015-04-10 12:41
.
Vor Suchlauf: 13 Verzeichnis(se), 155.069.243.392 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 154.500.153.344 Bytes frei
.
- - End Of File - - EF34E96B934D5BF624496592408923A9
         
Heyho,

eine Sache noch, die vielleicht weiterbringt: In meinem Ordner C:Program Data ist ein versteckter Ordner names Easyzoom, von dem ausgehend Avast nun schon mehrmals Bedrohungen blockiert hat. Ich selbst kann keinerlei Zugriff auf diesen Ordner ausüben oder ihn gar löschen, da mir die Fehlmeldung 'Falscher Paramenter' genannt wird.

Gruß,
Pauskar

Alt 11.04.2015, 07:15   #15
schrauber
/// the machine
/// TB-Ausbilder
 

Adware.SpeedingUp Virus Werbebanner Firefox - Standard

Adware.SpeedingUp Virus Werbebanner Firefox



Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Antwort

Themen zu Adware.SpeedingUp Virus Werbebanner Firefox
adobe, adware.speedingup, antivirus, browser, defender, desktop, firefox, flash player, google, home, homepage, langsam, launch, mozilla, popups, realtek, registry, rundll, scan, security, sekunden, services.exe, software, svchost.exe, virus, werbefenster, windows



Ähnliche Themen: Adware.SpeedingUp Virus Werbebanner Firefox


  1. Firefox: unerwünschte Werbebanner überall,öffnet selbstständig neue Tabs z.B.zu ReimageRepair Windows7
    Plagegeister aller Art und deren Bekämpfung - 18.10.2015 (26)
  2. Firefox Seite wir mit immer neuen Werbebanner befüllt.
    Plagegeister aller Art und deren Bekämpfung - 29.08.2015 (20)
  3. Firefox öffnet viele Werbebanner
    Plagegeister aller Art und deren Bekämpfung - 19.04.2015 (9)
  4. Ungewünschte Werbebanner Firefox
    Plagegeister aller Art und deren Bekämpfung - 05.03.2015 (17)
  5. Ständig Werbebanner beim Surfen mit Firefox
    Plagegeister aller Art und deren Bekämpfung - 28.02.2015 (17)
  6. Seit etwa 3 Stunden lahmt mein Laptop & in Firefox öffnen sich ständig werbebanner?
    Log-Analyse und Auswertung - 10.01.2015 (13)
  7. Trojaner gefunden TR/Dldr.Agent.314440 und verschiedene Adwares ADWARE/EoRezo.AF, ADWARE/Adware.Gen7, ADWARE/AgentCV.A.2919
    Log-Analyse und Auswertung - 02.05.2014 (19)
  8. Win-7: Adware / Virus entfernen - Virenscanner inaktiv - Weiterleitung auf Adware Webseite
    Plagegeister aller Art und deren Bekämpfung - 07.01.2014 (12)
  9. Der Virus ADWARE/Adware.Gen7 taucht immer wieder auf!
    Plagegeister aller Art und deren Bekämpfung - 27.12.2013 (3)
  10. Adware not-a-virus:AdWare.Win32.Agent.ahbx
    Plagegeister aller Art und deren Bekämpfung - 11.12.2013 (1)
  11. In Firefox öffnet sich immer ein Weißer Werbebanner
    Plagegeister aller Art und deren Bekämpfung - 03.12.2013 (11)
  12. Firefox: Aufdringliches Werbebanner
    Plagegeister aller Art und deren Bekämpfung - 15.10.2013 (3)
  13. Probleme mit Firefox, es läde ungefragt weisses Feld und Werbebanner
    Log-Analyse und Auswertung - 01.10.2013 (30)
  14. Win8: Virus blendet unseriöse Werbebanner in Googleseite ein
    Log-Analyse und Auswertung - 04.09.2013 (14)
  15. Yontoo 2.053 lässt sich nicht deinstallieren / Werbebanner in Firefox
    Plagegeister aller Art und deren Bekämpfung - 21.06.2013 (17)
  16. Werbebanner by Browse to Save - Virus
    Plagegeister aller Art und deren Bekämpfung - 18.01.2013 (13)
  17. Absturz Firefox und Funde ADWARE/InstallMat.D, TR/Barys.443.5, ADWARE/Adware.Gen6
    Log-Analyse und Auswertung - 03.01.2013 (19)

Zum Thema Adware.SpeedingUp Virus Werbebanner Firefox - Hallo lieber Trojaner-Boarder, das hier ist der dritte Anlauf diesen Thread zu eröffnen, wenn ich nun wieder alles umsonst tippe und kopiere wird auch meine sehr ergiebige Geduld langsam knapp. - Adware.SpeedingUp Virus Werbebanner Firefox...
Archiv
Du betrachtest: Adware.SpeedingUp Virus Werbebanner Firefox auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.