GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-12 16:15:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GT00 596,17GB Running: s5h9b279.exe; Driver: C:\Users\1\AppData\Local\Temp\kwddipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\services.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[316] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[736] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[1240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1884] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1884] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[1920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[1920] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[1920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[1920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Windows\SysWOW64\svchost.exe[1040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\SysWOW64\schtasks.exe[1124] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Windows\SysWOW64\schtasks.exe[1124] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Windows\SysWOW64\schtasks.exe[1124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Windows\SysWOW64\schtasks.exe[1124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[620] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[620] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\Explorer.EXE[2372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2476] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2476] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\ProgramData\BitGuard\2.6.1694.246\{c16c1ccb-1111-4e5c-a2f3-533ad2fec8e8}\BitGuard.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2324] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2324] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[2292] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2888] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe[2436] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001002b075c .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002b03a4 .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001002b0b14 .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001002b0ecc .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001002b163c .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001002b1284 .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002b19f4 .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\system32\taskeng.exe[3488] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[3540] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[3540] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe[3540] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\system32\TODDSrv.exe[3564] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001003e075c .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001003e03a4 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001003e0b14 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001003e0ecc .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001003e163c .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001003e1284 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001003e19f4 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[3672] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010019075c .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001001903a4 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100190b14 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100190ecc .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010019163c .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100191284 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001001919f4 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\System32\svchost.exe[3768] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000077928550 5 bytes JMP 000000010023075c .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 000000007792d440 5 bytes JMP 0000000100231284 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007792f874 5 bytes JMP 0000000100230ecc .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077934d4c 5 bytes JMP 00000001002303a4 .text C:\Windows\System32\svchost.exe[3768] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077948c20 5 bytes JMP 0000000100230b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001003d075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001003d03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001003d0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001003d0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001003d163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001003d1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001003d19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3792] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3896] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000776f5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000776f5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000776f53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000776f54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000776f55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000776f567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000776f589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000776f5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007721ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077223982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077227603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007722835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007723f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[3924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000776f5181 5 bytes JMP 0000000100091014 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000776f5254 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000776f53d5 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000776f54c2 5 bytes JMP 0000000100090c0c .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000776f55e2 5 bytes JMP 0000000100090e10 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000776f567c 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000776f589f 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000776f5a22 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007721ee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077223982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077227603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007722835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007723f52b 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010051075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001005103a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100510b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100510ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010051163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100511284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001005119f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2068] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[4200] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\system32\svchost.exe[4268] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010022075c .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002203a4 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100220b14 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100220ecc .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010022163c .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100221284 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002219f4 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[4896] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010047075c .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001004703a4 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100470b14 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100470ecc .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010047163c .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100471284 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001004719f4 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[4948] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001004c075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001004c03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001004c0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001004c0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001004c163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001004c1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001004c19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[5080] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001003e075c .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001003e03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001003e0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001003e0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001003e163c .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001003e1284 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001003e19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[5092] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001002d075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002d03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001002d0b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001002d0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001002d163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001002d1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002d19f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3316] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010016075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001001603a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100160b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100160ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010016163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100161284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001001619f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe[4220] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001001e075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001001e03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001001e0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001001e0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001001e163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001001e1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001001e19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3044] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001001c075c .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001001c163c .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\system32\SearchIndexer.exe[4936] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[1936] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe[4420] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe[4420] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe[4420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007721ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077223982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077227603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007722835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007723f52b 3 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx + 4 000000007723f52f 1 byte [89] .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000776f5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000776f5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000776f53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000776f54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000776f55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000776f567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000776f589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000776f5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[5168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010034075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001003403a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100340b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100340ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010034163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100341284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001003419f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[5228] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5244] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001002a075c .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002a03a4 .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001002a0b14 .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001002a0ecc .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001002a163c .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001002a1284 .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002a19f4 .text C:\Windows\system32\notepad.exe[5980] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\system32\notepad.exe[5980] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001002d075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002d03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001002d0b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001002d0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001002d163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001002d1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002d19f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5312] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001003a075c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001003a03a4 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001003a0b14 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001003a0ecc .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001003a163c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001003a1284 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001003a19f4 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010029075c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002903a4 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100290b14 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100290ecc .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010029163c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100291284 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002919f4 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[2812] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001002d075c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002d03a4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001002d0b14 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001002d0ecc .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001002d163c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001002d1284 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002d19f4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[1928] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[5260] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000776f5181 5 bytes JMP 00000001001d1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000776f5254 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000776f53d5 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000776f54c2 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000776f55e2 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000776f567c 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000776f589f 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000776f5a22 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007721ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077223982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077227603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007722835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007723f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007721ee09 5 bytes JMP 00000001001501f8 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077223982 5 bytes JMP 00000001001503fc .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077227603 5 bytes JMP 0000000100150804 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007722835c 5 bytes JMP 0000000100150600 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007723f52b 5 bytes JMP 0000000100150a08 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000776f5181 5 bytes JMP 00000001001e1014 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000776f5254 5 bytes JMP 00000001001e0804 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000776f53d5 5 bytes JMP 00000001001e0a08 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000776f54c2 5 bytes JMP 00000001001e0c0c .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000776f55e2 5 bytes JMP 00000001001e0e10 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000776f567c 5 bytes JMP 00000001001e01f8 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000776f589f 5 bytes JMP 00000001001e03fc .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000776f5a22 5 bytes JMP 00000001001e0600 .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Windows\system32\wbem\wmiprvse.exe[4776] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000776f5181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000776f5254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000776f53d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000776f54c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000776f55e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000776f567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000776f589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000776f5a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007721ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077223982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077227603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007722835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007723f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 000000010045075c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001004503a4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 0000000100450b14 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 0000000100450ecc .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 000000010045163c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 0000000100451284 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001004519f4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe[5068] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43b10 5 bytes JMP 00000001002a075c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077a47ac0 5 bytes JMP 00000001002a03a4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a71430 5 bytes JMP 00000001002a0b14 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077a71490 5 bytes JMP 00000001002a0ecc .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a71570 5 bytes JMP 00000001002a163c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a717b0 5 bytes JMP 00000001002a1284 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a727e0 5 bytes JMP 00000001002a19f4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007785eecd 1 byte [62] .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe6d6e00 5 bytes JMP 000007ff7e6f1dac .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe6d6f2c 5 bytes JMP 000007ff7e6f0ecc .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe6d7220 5 bytes JMP 000007ff7e6f1284 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe6d739c 5 bytes JMP 000007ff7e6f163c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe6d7538 5 bytes JMP 000007ff7e6f19f4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6d75e8 5 bytes JMP 000007ff7e6f03a4 .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe6d790c 5 bytes JMP 000007ff7e6f075c .text C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe[1792] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe6d7ab4 5 bytes JMP 000007ff7e6f0b14 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077c1fac0 5 bytes JMP 0000000100030600 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077c1fb58 5 bytes JMP 0000000100030804 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c20038 5 bytes JMP 0000000100030a08 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c21920 5 bytes JMP 0000000100030e10 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077c3c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41287 5 bytes JMP 00000001000303fc .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076bfa2ba 1 byte [62] .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000776f5181 5 bytes JMP 0000000100241014 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000776f5254 5 bytes JMP 0000000100240804 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000776f53d5 5 bytes JMP 0000000100240a08 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000776f54c2 5 bytes JMP 0000000100240c0c .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000776f55e2 5 bytes JMP 0000000100240e10 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000776f567c 5 bytes JMP 00000001002401f8 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000776f589f 5 bytes JMP 00000001002403fc .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000776f5a22 5 bytes JMP 0000000100240600 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007721ee09 5 bytes JMP 00000001002501f8 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077223982 5 bytes JMP 00000001002503fc .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077227603 5 bytes JMP 0000000100250804 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007722835c 5 bytes JMP 0000000100250600 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007723cfca 5 bytes JMP 0000000173cd46b0 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007723f52b 5 bytes JMP 0000000100250a08 .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d61465 2 bytes [D6, 76] .text C:\Users\1\Desktop\RAFAL\Nowy folder\s5h9b279.exe[4364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d614bb 2 bytes [D6, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3768:2952] 000007fef4749688 Thread [6008:6024] 0000000077c52e65 Thread [6008:6044] 0000000071db786a Thread [6008:6048] 0000000077c53e85 Thread [6008:6052] 00000000758ad864 Thread [6008:6076] 0000000077c57151 Thread [6008:4980] 000000006dfc28b3 Thread [6008:4976] 000000006de9f956 Thread [6008:3068] 000000006de9f956 Thread [6008:3960] 00000000775412e5 Thread [6008:5776] 00000000775412e5 Thread [6008:5800] 0000000077c53e85 Thread [6008:5808] 000000006de9f956 Thread [6008:5772] 00000000749162ee Thread [6008:5556] 0000000076a050f8 Thread [6008:3204] 0000000077c53e85 Thread [6008:724] 00000000756df35a Thread [6008:4520] 00000000690280eb Thread [6008:4488] 00000000690280eb Thread [6008:4544] 00000000690280eb Thread [6008:5268] 00000000690280eb Thread [6008:2996] 00000000690280eb Thread [6008:3052] 00000000690280eb Thread [6008:2876] 0000000069337c10 Thread [6008:4860] 0000000077c53e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:2980] 00000000776f7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:936] 0000000071a70cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:4428] 0000000077c52e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:3348] 0000000077c53e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3600:1436] 0000000077c53e85 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{08BE872C-EE43-496D-BFC1-C73532544DDB}\Connection@Name isatap.{7CE6286D-86CB-410B-BF17-2E68489D695C} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{40434024-93AA-4C14-B79B-95773217CF33}?\Device\{59CF765F-3765-43A9-9C46-AB9EF810EFB9}?\Device\{08BE872C-EE43-496D-BFC1-C73532544DDB}?\Device\{13796611-17AC-4ACB-B083-2A08BA715538}?\Device\{5C2A4F78-0582-4335-B401-F86CBE9CAD77}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{40434024-93AA-4C14-B79B-95773217CF33}"?"{59CF765F-3765-43A9-9C46-AB9EF810EFB9}"?"{08BE872C-EE43-496D-BFC1-C73532544DDB}"?"{13796611-17AC-4ACB-B083-2A08BA715538}"?"{5C2A4F78-0582-4335-B401-F86CBE9CAD77}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{40434024-93AA-4C14-B79B-95773217CF33}?\Device\TCPIP6TUNNEL_{59CF765F-3765-43A9-9C46-AB9EF810EFB9}?\Device\TCPIP6TUNNEL_{08BE872C-EE43-496D-BFC1-C73532544DDB}?\Device\TCPIP6TUNNEL_{13796611-17AC-4ACB-B083-2A08BA715538}?\Device\TCPIP6TUNNEL_{5C2A4F78-0582-4335-B401-F86CBE9CAD77}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 73 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 705044 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{08BE872C-EE43-496D-BFC1-C73532544DDB}@InterfaceName isatap.{7CE6286D-86CB-410B-BF17-2E68489D695C} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{08BE872C-EE43-496D-BFC1-C73532544DDB}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 73 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 705044 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----