GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-05 17:23:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.12.0 298,09GB Running: 98nxb6dr.exe; Driver: C:\Users\Kamila\AppData\Local\Temp\afdoqfow.sys ---- User code sections - GMER 2.0 ---- .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010027091c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100270048 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002702ee .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002704b2 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002709fe .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100270ae0 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 00000001001d004c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010027012a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100270758 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100270676 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002703d0 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100270594 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010027083a .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010027020c .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 000000010028059e .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1552] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 00000001001d091c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 00000001001d0048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001001d02ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001001d04b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001001d09fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 00000001001d0ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 00000001001d012a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 00000001001d0758 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 00000001001d0676 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001001d03d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 00000001001d0594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 00000001001d083a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 00000001001d020c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1584] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001001e04bc .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[1664] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010029091c .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100290048 .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002902ee .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002904b2 .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002909fe .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100290ae0 .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010029012a .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100290758 .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100290676 .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002903d0 .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100290594 .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010029083a .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010029020c .text C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe[1824] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001002a059e .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010045091c .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100450048 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001004502ee .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001004504b2 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001004509fe .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100450ae0 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010045012a .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100450758 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100450676 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001004503d0 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100450594 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010045083a .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010045020c .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1948] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001004604bc .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 000000010029059e .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a41a9d1} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2020] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 00000001002a091c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 00000001002a0048 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002a02ee .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002a04b2 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002a09fe .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 00000001002a0ae0 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010024004c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 00000001002a012a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 00000001002a0758 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 00000001002a0676 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002a03d0 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 00000001002a0594 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 00000001002a083a .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 00000001002a020c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001002b059e .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 00000001002a0f52 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 00000001002b0210 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 00000001002b0048 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a43a9d1} .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 00000001002a0ca6 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002b03d8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 00000001002b012c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002b02f4 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[2688] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 00000001002a0e6e .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010029091c .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100290048 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002902ee .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002904b2 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002909fe .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100290ae0 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010029012a .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100290758 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100290676 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002903d0 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100290594 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010029083a .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010029020c .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001002a0762 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100290f52 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 00000001002a0210 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 00000001002a0048 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a42a9d1} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100290ca6 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002a03d8 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 00000001002a012c .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002a02f4 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100290e6e .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Users\Kamila\AppData\Local\Smartbar\Application\QuickShare.exe[3172] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010029091c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100290048 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002902ee .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002904b2 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002909fe .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100290ae0 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010003004c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010029012a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100290758 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100290676 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002903d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100290594 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010029083a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010029020c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100290f52 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 00000001002a0210 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 00000001002a0048 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a42a9d1} .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100290ca6 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002a03d8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 00000001002a012c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002a02f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100290e6e .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001002a059e .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 000000010029059e .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a41a9d1} .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe[3276] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 00000001003d091c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 00000001003d0048 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001003d02ee .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001003d04b2 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001003d09fe .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 00000001003d0ae0 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 00000001003d012a .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 00000001003d0758 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 00000001003d0676 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001003d03d0 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 00000001003d0594 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 00000001003d083a .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 00000001003d020c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001003e059e .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 00000001003d0f52 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 00000001003e0210 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 00000001003e0048 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a56a9d1} .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 00000001003d0ca6 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001003e03d8 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 00000001003e012c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001003e02f4 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3284] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 00000001003d0e6e .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 000000010029059e .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 0000000100290210 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 0000000100290048 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a41a9d1} .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002903d8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 000000010029012c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002902f4 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3304] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 00000001046c091c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 00000001046c0048 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001046c02ee .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001046c04b2 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001046c09fe .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 00000001046c0ae0 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 0000000103cc004c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 00000001046c012a .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 00000001046c0758 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 00000001046c0676 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001046c03d0 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 00000001046c0594 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 00000001046c083a .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 00000001046c020c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001046d059e .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 00000001046c0f52 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 00000001046d0210 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 00000001046d0048 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8e85a9d1} .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 00000001046c0ca6 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001046d03d8 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 00000001046d012c .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001046d02f4 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 00000001046c0e6e .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 00000001001d091c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 00000001001d0048 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001001d02ee .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001001d04b2 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001001d09fe .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 00000001001d0ae0 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 00000001001d012a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 00000001001d0758 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 00000001001d0676 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001001d03d0 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 00000001001d0594 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 00000001001d083a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 00000001001d020c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 00000001001d0f52 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 0000000100260210 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 0000000100260048 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a3ea9d1} .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 00000001001d0ca6 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002603d8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 000000010026012c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002602f4 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 00000001001d0e6e .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 000000010026059e .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3556] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 00000001001e091c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 00000001001e0048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001001e02ee .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001001e04b2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001001e09fe .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 00000001001e0ae0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 00000001001e012a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 00000001001e0758 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 00000001001e0676 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001001e03d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 00000001001e0594 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 00000001001e083a .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 00000001001e020c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 00000001001e0f52 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 0000000100270210 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 0000000100270048 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a3fa9d1} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 00000001001e0ca6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002703d8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 000000010027012c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002702f4 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 00000001001e0e6e .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 0000000100270762 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3588] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100280f52 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 0000000100310210 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 0000000100310048 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a49a9d1} .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100280ca6 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001003103d8 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 000000010031012c .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001003102f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100280e6e .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3856] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001003104bc .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010029091c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100290048 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002902ee .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002904b2 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002909fe .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100290ae0 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010029012a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100290758 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100290676 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002903d0 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100290594 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010029083a .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010029020c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001002a059e .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100290f52 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 00000001002a0210 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 00000001002a0048 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a42a9d1} .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100290ca6 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002a03d8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 00000001002a012c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002a02f4 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe[3204] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100290e6e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 00000001002c091c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 00000001002c0048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002c02ee .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002c04b2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002c09fe .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 00000001002c0ae0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010026004c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 00000001002c012a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 00000001002c0758 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 00000001002c0676 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002c03d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 00000001002c0594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 00000001002c083a .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 00000001002c020c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 00000001002c0f52 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 00000001002d0210 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 00000001002d0048 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a45a9d1} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 00000001002c0ca6 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002d03d8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 00000001002d012c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002d02f4 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 00000001002c0e6e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001002d059e .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a31401 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a31419 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a31431 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a3144a 2 bytes [A3, 75] .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a314dd 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a314f5 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a3150d 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a31525 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a3153d 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a31555 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a3156d 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a31585 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a3159d 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a315b5 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a315cd 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a316b2 2 bytes [A3, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a316bd 2 bytes [A3, 75] .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007784fc90 5 bytes JMP 000000010028091c .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007784fdf4 5 bytes JMP 0000000100280048 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007784fe88 5 bytes JMP 00000001002802ee .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007784ffe4 5 bytes JMP 00000001002804b2 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077850018 5 bytes JMP 00000001002809fe .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077850048 5 bytes JMP 0000000100280ae0 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077850064 5 bytes JMP 000000010002004c .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007785077c 5 bytes JMP 000000010028012a .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007785086c 5 bytes JMP 0000000100280758 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077850884 5 bytes JMP 0000000100280676 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077850dd4 5 bytes JMP 00000001002803d0 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077851900 5 bytes JMP 0000000100280594 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077851bc4 5 bytes JMP 000000010028083a .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077851d50 5 bytes JMP 000000010028020c .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000075e7524f 7 bytes JMP 0000000100280f52 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000075e753d0 7 bytes JMP 0000000100290210 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075e75677 1 byte JMP 0000000100290048 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075e75679 5 bytes {JMP 0xffffffff8a41a9d1} .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000075e7589a 7 bytes JMP 0000000100280ca6 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075e75a1d 7 bytes JMP 00000001002903d8 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075e75c9b 7 bytes JMP 000000010029012c .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075e75d87 7 bytes JMP 00000001002902f4 .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075e77240 7 bytes JMP 0000000100280e6e .text C:\Users\Kamila\Desktop\98nxb6dr.exe[3436] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075bd1492 7 bytes JMP 00000001002904bc ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef9562750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef9562b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef9567de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef9568130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef9561908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef9561c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef95681d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef9562878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef9567a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef9566c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef95677bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef9567064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef9566544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2088] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef9565e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1644] 0000000077883e45 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1656] 0000000077882e25 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1676] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1680] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1684] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1688] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1692] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1696] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1700] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1704] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1708] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1712] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1716] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1720] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1724] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1736] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1740] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1744] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1748] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1752] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1756] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1760] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1792] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1796] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1856] 0000000077883e45 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:1980] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:2684] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:2892] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:2896] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:2900] 00000000737529e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1636:2904] 00000000737529e1 Thread C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe [3204:1880] 0000000000020060 ---- Disk sectors - GMER 2.0 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.0 ----