GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-25 19:05:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST320LT012-9WS14C rev.0001SDM1 298,09GB Running: ekjh3g66.exe; Driver: C:\Users\dom\AppData\Local\Temp\pwldapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff8000e1f6000 45 bytes [00, 00, 25, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000e1f602f 16 bytes [00, 02, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077491310 6 bytes {JMP QWORD [RIP+0x8e5ed20]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077491330 6 bytes {JMP QWORD [RIP+0x8e9ed00]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774913a0 6 bytes {JMP QWORD [RIP+0x8c9ec90]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000774913e0 6 bytes {JMP QWORD [RIP+0x8d5ec50]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077491420 6 bytes {JMP QWORD [RIP+0x8d9ec10]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077491480 6 bytes {JMP QWORD [RIP+0x8cbebb0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8e7eb10]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000774915d0 6 bytes {JMP QWORD [RIP+0x8d3ea60]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8e3ea50]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 6 bytes {JMP QWORD [RIP+0x8ebe9e0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077491670 6 bytes {JMP QWORD [RIP+0x8d1e9c0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8dfe830]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8dbe780]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077491e00 6 bytes {JMP QWORD [RIP+0x8e1e230]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077491e10 6 bytes {JMP QWORD [RIP+0x8cde220]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8cfe1f0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774920a0 6 bytes {JMP QWORD [RIP+0x8efdf90]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000774924e0 6 bytes {JMP QWORD [RIP+0x8d7db50]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8edd850]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077492b30 6 bytes {JMP QWORD [RIP+0x8ddd500]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\kernel32.dll!MapViewOfFile 000000007722d850 6 bytes {JMP QWORD [RIP+0x8e627e0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\kernel32.dll!CreateFileMappingA 000000007722df90 6 bytes {JMP QWORD [RIP+0x8e420a0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\kernel32.dll!CreateFileMappingW 000000007722eeb0 6 bytes {JMP QWORD [RIP+0x8ea1180]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077231890 6 bytes {JMP QWORD [RIP+0x8e7e7a0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000077241b80 6 bytes {JMP QWORD [RIP+0x8e0e4b0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\kernel32.dll!CreateRemoteThread 000000007726c8a0 6 bytes {JMP QWORD [RIP+0x8e83790]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772af490 6 bytes {JMP QWORD [RIP+0x8e60ba0]} .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes [B5, 6F, 07] .text C:\Windows\system32\lsm.exe[584] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes [0A, 60, 06] .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes CALL 77000026 .text C:\Windows\system32\atieclxx.exe[1136] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes CALL 9b90000 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077491310 6 bytes {JMP QWORD [RIP+0x8e5ed20]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077491330 6 bytes {JMP QWORD [RIP+0x8e9ed00]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774913a0 6 bytes {JMP QWORD [RIP+0x8c9ec90]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000774913e0 6 bytes {JMP QWORD [RIP+0x8d5ec50]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077491420 6 bytes {JMP QWORD [RIP+0x8d9ec10]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077491480 6 bytes {JMP QWORD [RIP+0x8cbebb0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8e7eb10]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000774915d0 6 bytes {JMP QWORD [RIP+0x8d3ea60]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8e3ea50]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 6 bytes {JMP QWORD [RIP+0x8ebe9e0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077491670 6 bytes {JMP QWORD [RIP+0x8d1e9c0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8dfe830]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8dbe780]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077491e00 6 bytes {JMP QWORD [RIP+0x8e1e230]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077491e10 6 bytes {JMP QWORD [RIP+0x8cde220]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8cfe1f0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774920a0 6 bytes {JMP QWORD [RIP+0x8efdf90]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000774924e0 6 bytes {JMP QWORD [RIP+0x8d7db50]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8edd850]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077492b30 6 bytes {JMP QWORD [RIP+0x8ddd500]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\kernel32.dll!MapViewOfFile 000000007722d850 6 bytes {JMP QWORD [RIP+0x8e627e0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\kernel32.dll!CreateFileMappingA 000000007722df90 6 bytes {JMP QWORD [RIP+0x8e420a0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\kernel32.dll!CreateFileMappingW 000000007722eeb0 6 bytes {JMP QWORD [RIP+0x8ea1180]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077231890 6 bytes {JMP QWORD [RIP+0x8e7e7a0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000077241b80 6 bytes {JMP QWORD [RIP+0x8e0e4b0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\kernel32.dll!CreateRemoteThread 000000007726c8a0 6 bytes {JMP QWORD [RIP+0x8e83790]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772af490 6 bytes {JMP QWORD [RIP+0x8e60ba0]} .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes CALL 77000026 .text C:\Windows\system32\Dwm.exe[1684] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes CALL 9b90000 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077491310 6 bytes {JMP QWORD [RIP+0x8e5ed20]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077491330 6 bytes {JMP QWORD [RIP+0x8e9ed00]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774913a0 6 bytes {JMP QWORD [RIP+0x8c9ec90]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000774913e0 6 bytes {JMP QWORD [RIP+0x8d5ec50]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077491420 6 bytes {JMP QWORD [RIP+0x8d9ec10]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077491480 6 bytes {JMP QWORD [RIP+0x8cbebb0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8e7eb10]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000774915d0 6 bytes {JMP QWORD [RIP+0x8d3ea60]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8e3ea50]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 6 bytes {JMP QWORD [RIP+0x8ebe9e0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077491670 6 bytes {JMP QWORD [RIP+0x8d1e9c0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8dfe830]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8dbe780]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077491e00 6 bytes {JMP QWORD [RIP+0x8e1e230]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077491e10 6 bytes JMP fd9254c2 .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8cfe1f0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774920a0 6 bytes {JMP QWORD [RIP+0x8efdf90]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000774924e0 6 bytes {JMP QWORD [RIP+0x8d7db50]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8edd850]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077492b30 6 bytes {JMP QWORD [RIP+0x8ddd500]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\kernel32.dll!MapViewOfFile 000000007722d850 6 bytes {JMP QWORD [RIP+0x8e627e0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\kernel32.dll!CreateFileMappingA 000000007722df90 6 bytes {JMP QWORD [RIP+0x8e420a0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\kernel32.dll!CreateFileMappingW 000000007722eeb0 6 bytes {JMP QWORD [RIP+0x8ea1180]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077231890 6 bytes {JMP QWORD [RIP+0x8e7e7a0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000077241b80 6 bytes {JMP QWORD [RIP+0x8e0e4b0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\kernel32.dll!CreateRemoteThread 000000007726c8a0 6 bytes {JMP QWORD [RIP+0x8e83790]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772af490 6 bytes JMP 0 .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes CALL 77000026 .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes CALL 9b90000 .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefee29980 6 bytes {JMP QWORD [RIP+0xb666b0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefee2a4c4 6 bytes {JMP QWORD [RIP+0xb45b6c]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd7b13b0 6 bytes {JMP QWORD [RIP+0x22fec80]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefd7b18e1 5 bytes {JMP QWORD [RIP+0x233e750]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd7b2200 6 bytes {JMP QWORD [RIP+0x22bde30]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd7b45c1 5 bytes {JMP QWORD [RIP+0x21fba70]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd7b4980 6 bytes {JMP QWORD [RIP+0x235b6b0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!send 000007fefd7b8000 6 bytes {JMP QWORD [RIP+0x2258030]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!sendto 000007fefd7bd7f0 6 bytes {JMP QWORD [RIP+0x2272840]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!recv 000007fefd7bdf40 6 bytes {JMP QWORD [RIP+0x22120f0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd7beb90 6 bytes {JMP QWORD [RIP+0x22314a0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd7bed50 6 bytes {JMP QWORD [RIP+0x23112e0]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd7de0f0 6 bytes {JMP QWORD [RIP+0x2271f40]} .text C:\Windows\Explorer.EXE[1696] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd7de6c0 6 bytes {JMP QWORD [RIP+0x22b1970]} .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[1676] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076e52c9e 4 bytes {CALL QWORD [RIP+0x71a9000a]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077491310 6 bytes {JMP QWORD [RIP+0x8e5ed20]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077491330 6 bytes {JMP QWORD [RIP+0x8e9ed00]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774913a0 6 bytes {JMP QWORD [RIP+0x8c9ec90]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000774913e0 6 bytes {JMP QWORD [RIP+0x8d5ec50]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077491420 6 bytes {JMP QWORD [RIP+0x8d9ec10]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077491480 6 bytes {JMP QWORD [RIP+0x8cbebb0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8e7eb10]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000774915d0 6 bytes {JMP QWORD [RIP+0x8d3ea60]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8e3ea50]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 6 bytes {JMP QWORD [RIP+0x8ebe9e0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077491670 6 bytes {JMP QWORD [RIP+0x8d1e9c0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8dfe830]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8dbe780]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077491e00 6 bytes {JMP QWORD [RIP+0x8e1e230]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077491e10 6 bytes {JMP QWORD [RIP+0x8cde220]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8cfe1f0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774920a0 6 bytes {JMP QWORD [RIP+0x8efdf90]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000774924e0 6 bytes {JMP QWORD [RIP+0x8d7db50]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8edd850]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077492b30 6 bytes {JMP QWORD [RIP+0x8ddd500]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\kernel32.dll!MapViewOfFile 000000007722d850 6 bytes {JMP QWORD [RIP+0x8e627e0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\kernel32.dll!CreateFileMappingA 000000007722df90 6 bytes {JMP QWORD [RIP+0x8e420a0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\kernel32.dll!CreateFileMappingW 000000007722eeb0 6 bytes {JMP QWORD [RIP+0x8ea1180]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077231890 6 bytes {JMP QWORD [RIP+0x8e7e7a0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000077241b80 6 bytes {JMP QWORD [RIP+0x8e0e4b0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\kernel32.dll!CreateRemoteThread 000000007726c8a0 6 bytes {JMP QWORD [RIP+0x8e83790]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772af490 6 bytes {JMP QWORD [RIP+0x8e60ba0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes [B5, 6F, 07] .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes CALL 2a0001 .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefee29980 6 bytes {JMP QWORD [RIP+0x7866b0]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefee2a4c4 6 bytes {JMP QWORD [RIP+0x765b6c]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007fefe7055c8 6 bytes {JMP QWORD [RIP+0xd3aa68]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007fefe71b85c 6 bytes {JMP QWORD [RIP+0xd047d4]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007fefe71b9d0 6 bytes {JMP QWORD [RIP+0x2c4660]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007fefe71ba3c 6 bytes {JMP QWORD [RIP+0x2a45f4]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ADVAPI32.dll!LsaRemoveAccountRights 000007fefe729510 6 bytes {JMP QWORD [RIP+0xe46b20]} .text C:\Windows\system32\taskhost.exe[2248] C:\Windows\system32\ADVAPI32.dll!LsaAddAccountRights 000007fefe729580 6 bytes {JMP QWORD [RIP+0xe26ab0]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077491310 6 bytes {JMP QWORD [RIP+0x8e5ed20]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077491330 6 bytes {JMP QWORD [RIP+0x8e9ed00]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774913a0 6 bytes {JMP QWORD [RIP+0x8c9ec90]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000774913e0 6 bytes {JMP QWORD [RIP+0x8d5ec50]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077491420 6 bytes {JMP QWORD [RIP+0x8d9ec10]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077491480 6 bytes {JMP QWORD [RIP+0x8cbebb0]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8e7eb10]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000774915d0 6 bytes {JMP QWORD [RIP+0x8d3ea60]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8e3ea50]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 6 bytes {JMP QWORD [RIP+0x8ebe9e0]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077491670 6 bytes {JMP QWORD [RIP+0x8d1e9c0]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8dfe830]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8dbe780]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077491e00 6 bytes {JMP QWORD [RIP+0x8e1e230]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077491e10 6 bytes {JMP QWORD [RIP+0x8cde220]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8cfe1f0]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774920a0 6 bytes {JMP QWORD [RIP+0x8efdf90]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000774924e0 6 bytes {JMP QWORD [RIP+0x8d7db50]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8edd850]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077492b30 6 bytes {JMP QWORD [RIP+0x8ddd500]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes CALL 77000026 .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes CALL 9b90000 .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefee29980 6 bytes {JMP QWORD [RIP+0x3266b0]} .text C:\Windows\system32\taskeng.exe[3048] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefee2a4c4 6 bytes {JMP QWORD [RIP+0x305b6c]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076e52c9e 4 bytes {CALL QWORD [RIP+0x71a9000a]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!sendto 0000000075a134b5 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a13918 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSAStartup 0000000075a13ab2 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a14406 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a16b0e 6 bytes {JMP QWORD [RIP+0x71a4001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a16bdd 6 bytes {JMP QWORD [RIP+0x71ab001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!send 0000000075a16f01 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a17089 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!recvfrom 0000000075a1b6dc 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 0000000075a1cba6 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a1cc3f 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[2472] C:\Windows\syswow64\WS2_32.dll!WSASendTo 0000000075a2b30c 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076e52c9e 4 bytes CALL 71aa0000 .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!sendto 0000000075a134b5 6 bytes {JMP QWORD [RIP+0x719c001e]} .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a13918 6 bytes JMP 718b000a .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!WSAStartup 0000000075a13ab2 6 bytes JMP 7188000a .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a14406 6 bytes {JMP QWORD [RIP+0x7190001e]} .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a16b0e 6 bytes JMP 71a6000a .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a16bdd 6 bytes JMP 71ad000a .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!send 0000000075a16f01 6 bytes JMP 71a0000a .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a17089 6 bytes {JMP QWORD [RIP+0x7196001e]} .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!recvfrom 0000000075a1b6dc 6 bytes {JMP QWORD [RIP+0x71a2001e]} .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 0000000075a1cba6 6 bytes {JMP QWORD [RIP+0x7193001e]} .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a1cc3f 6 bytes JMP 719a000a .text C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe[3512] C:\Windows\syswow64\WS2_32.dll!WSASendTo 0000000075a2b30c 6 bytes {JMP QWORD [RIP+0x718d001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076e52c9e 4 bytes {CALL QWORD [RIP+0x71a9000a]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!sendto 0000000075a134b5 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075a13918 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!WSAStartup 0000000075a13ab2 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075a14406 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!recv 0000000075a16b0e 6 bytes {JMP QWORD [RIP+0x71a4001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!connect 0000000075a16bdd 6 bytes {JMP QWORD [RIP+0x71ab001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!send 0000000075a16f01 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075a17089 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!recvfrom 0000000075a1b6dc 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom 0000000075a1cba6 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075a1cc3f 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\ASUS\InstantOn for NB\InsOnWMI.exe[3292] C:\Windows\syswow64\WS2_32.dll!WSASendTo 0000000075a2b30c 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes CALL 77000026 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes CALL 9b90000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd7b13b0 6 bytes {JMP QWORD [RIP+0x13aec80]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefd7b18e1 5 bytes JMP 330000 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd7b2200 6 bytes {JMP QWORD [RIP+0x12cde30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd7b45c1 5 bytes {JMP QWORD [RIP+0x120ba70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd7b4980 6 bytes {JMP QWORD [RIP+0x140b6b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!send 000007fefd7b8000 6 bytes {JMP QWORD [RIP+0x1268030]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!sendto 000007fefd7bd7f0 6 bytes {JMP QWORD [RIP+0x1282840]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!recv 000007fefd7bdf40 6 bytes {JMP QWORD [RIP+0x12220f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd7beb90 6 bytes {JMP QWORD [RIP+0x12414a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd7bed50 6 bytes JMP 0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd7de0f0 6 bytes {JMP QWORD [RIP+0x1281f40]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4548] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd7de6c0 6 bytes {JMP QWORD [RIP+0x1361970]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077491310 6 bytes {JMP QWORD [RIP+0x8e5ed20]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077491330 6 bytes {JMP QWORD [RIP+0x8e9ed00]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774913a0 6 bytes {JMP QWORD [RIP+0x8c9ec90]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000774913e0 6 bytes {JMP QWORD [RIP+0x8d5ec50]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077491420 6 bytes {JMP QWORD [RIP+0x8d9ec10]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077491480 6 bytes {JMP QWORD [RIP+0x8cbebb0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8e7eb10]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000774915d0 6 bytes {JMP QWORD [RIP+0x8d3ea60]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8e3ea50]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 6 bytes {JMP QWORD [RIP+0x8ebe9e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077491670 6 bytes {JMP QWORD [RIP+0x8d1e9c0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8dfe830]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8dbe780]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077491e00 6 bytes {JMP QWORD [RIP+0x8e1e230]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077491e10 6 bytes {JMP QWORD [RIP+0x8cde220]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8cfe1f0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774920a0 6 bytes {JMP QWORD [RIP+0x8efdf90]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000774924e0 6 bytes {JMP QWORD [RIP+0x8d7db50]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8edd850]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077492b30 6 bytes {JMP QWORD [RIP+0x8ddd500]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\kernel32.dll!MapViewOfFile 000000007722d850 6 bytes {JMP QWORD [RIP+0x8e627e0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\kernel32.dll!CreateFileMappingA 000000007722df90 6 bytes {JMP QWORD [RIP+0x8e420a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\kernel32.dll!CreateFileMappingW 000000007722eeb0 6 bytes {JMP QWORD [RIP+0x8ea1180]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077231890 6 bytes {JMP QWORD [RIP+0x8e7e7a0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000077241b80 6 bytes {JMP QWORD [RIP+0x8e0e4b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\kernel32.dll!CreateRemoteThread 000000007726c8a0 6 bytes {JMP QWORD [RIP+0x8e83790]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772af490 6 bytes {JMP QWORD [RIP+0x8e60ba0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes [B5, 6F, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes [0A, 60, 06] .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefee29980 6 bytes {JMP QWORD [RIP+0x3266b0]} .text C:\Windows\system32\wbem\wmiprvse.exe[4152] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefee2a4c4 6 bytes {JMP QWORD [RIP+0x305b6c]} .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4328] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076e52c9e 4 bytes CALL 71aa0000 .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 0000000077491310 6 bytes {JMP QWORD [RIP+0x8e5ed20]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077491330 6 bytes {JMP QWORD [RIP+0x8e9ed00]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000774913a0 6 bytes {JMP QWORD [RIP+0x8c9ec90]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00000000774913e0 6 bytes {JMP QWORD [RIP+0x8d5ec50]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 0000000077491420 6 bytes {JMP QWORD [RIP+0x8d9ec10]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 0000000077491480 6 bytes {JMP QWORD [RIP+0x8cbebb0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077491520 6 bytes {JMP QWORD [RIP+0x8e7eb10]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00000000774915d0 6 bytes {JMP QWORD [RIP+0x8d3ea60]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000774915e0 6 bytes {JMP QWORD [RIP+0x8e3ea50]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077491650 6 bytes {JMP QWORD [RIP+0x8ebe9e0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077491670 6 bytes {JMP QWORD [RIP+0x8d1e9c0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077491800 6 bytes {JMP QWORD [RIP+0x8dfe830]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000774918b0 6 bytes {JMP QWORD [RIP+0x8dbe780]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077491e00 6 bytes {JMP QWORD [RIP+0x8e1e230]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 0000000077491e10 6 bytes {JMP QWORD [RIP+0x8cde220]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077491e40 6 bytes {JMP QWORD [RIP+0x8cfe1f0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774920a0 6 bytes {JMP QWORD [RIP+0x8efdf90]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00000000774924e0 6 bytes {JMP QWORD [RIP+0x8d7db50]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774927e0 6 bytes {JMP QWORD [RIP+0x8edd850]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\SYSTEM32\ntdll.dll!NtUnloadKey 0000000077492b30 6 bytes {JMP QWORD [RIP+0x8ddd500]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\kernel32.dll!MapViewOfFile 000000007722d850 6 bytes {JMP QWORD [RIP+0x8e627e0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\kernel32.dll!CreateFileMappingA 000000007722df90 6 bytes {JMP QWORD [RIP+0x8e420a0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\kernel32.dll!CreateFileMappingW 000000007722eeb0 6 bytes {JMP QWORD [RIP+0x8ea1180]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000077231890 6 bytes {JMP QWORD [RIP+0x8e7e7a0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\kernel32.dll!MapViewOfFileEx 0000000077241b80 6 bytes {JMP QWORD [RIP+0x8e0e4b0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\kernel32.dll!CreateRemoteThread 000000007726c8a0 6 bytes {JMP QWORD [RIP+0x8e83790]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 00000000772af490 6 bytes {JMP QWORD [RIP+0x8e60ba0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes CALL 77000026 .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes CALL 9b90000 .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\ole32.dll!CLSIDFromProgID 000007fefee29980 6 bytes {JMP QWORD [RIP+0x3266b0]} .text C:\Windows\system32\SearchIndexer.exe[6292] C:\Windows\system32\ole32.dll!CLSIDFromProgIDEx 000007fefee2a4c4 6 bytes {JMP QWORD [RIP+0x305b6c]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd289055 3 bytes [B5, 6F, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd289ff2 3 bytes [0A, 60, 06] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSASend 000007fefd7b13b0 6 bytes {JMP QWORD [RIP+0x2aec80]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!closesocket + 1 000007fefd7b18e1 5 bytes {JMP QWORD [RIP+0x2ee750]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSARecv 000007fefd7b2200 6 bytes {JMP QWORD [RIP+0x26de30]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefd7b45c1 5 bytes {JMP QWORD [RIP+0x1aba70]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefd7b4980 6 bytes {JMP QWORD [RIP+0x30b6b0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!send 000007fefd7b8000 6 bytes {JMP QWORD [RIP+0x208030]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!sendto 000007fefd7bd7f0 6 bytes {JMP QWORD [RIP+0x222840]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!recv 000007fefd7bdf40 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!recvfrom 000007fefd7beb90 6 bytes {JMP QWORD [RIP+0x1e14a0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSASendTo 000007fefd7bed50 6 bytes {JMP QWORD [RIP+0x2c12e0]} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefd7de0f0 6 bytes JMP 0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4608] C:\Windows\system32\WS2_32.dll!WSARecvFrom 000007fefd7de6c0 6 bytes {JMP QWORD [RIP+0x261970]} .text C:\Users\dom\Downloads\ekjh3g66.exe[8132] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076e52c9e 4 bytes CALL 71a90000 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\Dwm.exe[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\dwmredir.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\VERSION.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\Dwm.exe[1684] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE[ADVAPI32.dll!StartServiceW] [7feff8e0000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE[ADVAPI32.dll!OpenServiceW] [7feff880000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE[ADVAPI32.dll!CloseServiceHandle] [7feff780000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\Explorer.EXE[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\EXPLORERFRAME.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\DUser.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\DUI70.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\IMM32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!CloseServiceHandle] [7feff780000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!OpenServiceW] [7feff880000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\CFGMGR32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_2b283fd671e9bf4d\gdiplus.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\Secur32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WINSTA.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WindowsCodecs.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\apphelp.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCP90.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\EhStorShell.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\ntshrui.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\srvcli.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\IconCodecService.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\version.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\SndVolSSO.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\HID.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\MMDevApi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\ATL.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\actxprxy.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\shdocvw.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\LINKINFO.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\gameux.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\XmlLite.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\wer.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\netutils.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msls31.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msiltcfg.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!StartServiceW] [7feff8e0000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!DeleteService] [7feff7e0000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!ControlService] [7feff7b0000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!CloseServiceHandle] [7feff780000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!OpenServiceW] [7feff880000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\authui.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\iertutil.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WININET.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\PSAPI.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\NetworkExplorer.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\wdmaud.drv[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\AUDIOSES.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\msacm32.drv[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\stobject.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\BatMeter.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WINHTTP.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\midimap.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\ehome\ehSSO.dll[ADVAPI32.dll!OpenServiceW] [7feff880000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\ehome\ehSSO.dll[ADVAPI32.dll!CloseServiceHandle] [7feff780000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\ehome\ehSSO.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\netshell.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\nlaapi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\Actioncenter.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\wevtapi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\AltTab.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\fxsst.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\PortableDeviceTypes.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\pnidui.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\pnidui.dll[ADVAPI32.dll!OpenServiceW] [7feff880000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\pnidui.dll[ADVAPI32.dll!CloseServiceHandle] [7feff780000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\PortableDeviceApi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\srchadmin.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\van.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\RasMM.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\UIAnimation.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\Wpc.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\msxml6.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\SyncCenter.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\MsftEdit.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\ieframe.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\werconcpl.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\hcproviders.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\windowscodecsext.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\UIAutomationCore.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\StructuredQuery.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\MPR.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\wkscli.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\EhStorAPI.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WWanMM.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\WlanMM.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\wlanutil.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\OneX.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\eappprxy.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\eappcfg.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\QAgent.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\imapi2.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\hgcpl.dll[ADVAPI32.dll!OpenServiceW] [7feff880000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\hgcpl.dll[ADVAPI32.dll!StartServiceW] [7feff8e0000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\hgcpl.dll[ADVAPI32.dll!CloseServiceHandle] [7feff780000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\hgcpl.dll[ADVAPI32.dll!ControlService] [7feff7b0000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\hgcpl.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\provsvc.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\provsvc.dll[ADVAPI32.dll!CloseServiceHandle] [7feff780000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\provsvc.dll[ADVAPI32.dll!StartServiceW] [7feff8e0000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\provsvc.dll[ADVAPI32.dll!OpenServiceW] [7feff880000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\dsrole.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\SearchFolder.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\System32\NaturalLanguage6.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\Explorer.EXE[1696] @ C:\Windows\system32\MLANG.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\taskhost.exe[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\version.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\wininet.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\shlwapi.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\System32\PlaySndSrv.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\ESENT.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\psapi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\WINMM.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\System32\nlaapi.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\dsrole.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\MMDevAPI.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\wdmaud.drv[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!CloseServiceHandle] [7feff3a0000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\CFGMGR32.dll[ADVAPI32.dll!OpenServiceW] [7feff4a0000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\CFGMGR32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\AUDIOSES.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\msacm32.drv[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskhost.exe[2248] @ C:\Windows\system32\midimap.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskeng.exe[3048] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskeng.exe[3048] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\taskeng.exe[3048] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\wbem\wmiprvse.exe[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\wbemcomn.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\wbem\FastProx.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\wbem\wbemsvc.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\wbem\wmiutils.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\wbem\wmiprov.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\wbem\wmiprvse.exe[4152] @ C:\Windows\system32\wbem\esscli.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\SearchIndexer.exe[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\TQUERY.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\MSSRCH.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\ESENT.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\Msidle.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Program Files\Common Files\Microsoft Shared\Ink\IpsPlugin.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\WINSTA.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\netutils.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\propsys.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\apphelp.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\System32\NaturalLanguage6.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\elscore.dll[KERNEL32.dll!TerminateProcess] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[6292] @ C:\Windows\system32\ElsLad.dll[KERNEL32.dll!TerminateProcess] [80000000] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\lsm.exe [584:3368] 000007feffff0000 Thread C:\Windows\system32\lsm.exe [584:3420] 000000001005e018 Thread C:\Windows\system32\Dwm.exe [1684:3608] 000007feffff0000 Thread C:\Windows\Explorer.EXE [1696:3092] 000007feffff0000 Thread C:\Windows\System32\spoolsv.exe [1092:4064] 000007fef54910c8 Thread C:\Windows\System32\spoolsv.exe [1092:3172] 000007fef50d6144 Thread C:\Windows\System32\spoolsv.exe [1092:3788] 000007fef4ba5fd0 Thread C:\Windows\System32\spoolsv.exe [1092:3968] 000007fef5243438 Thread C:\Windows\System32\spoolsv.exe [1092:3268] 000007fef4ba63ec Thread C:\Windows\System32\spoolsv.exe [1092:3848] 000007fef6185e5c Thread C:\Windows\System32\spoolsv.exe [1092:2812] 0000000001edf110 Thread C:\Windows\System32\spoolsv.exe [1092:3300] 0000000001edd3e0 Thread C:\Windows\System32\spoolsv.exe [1092:2728] 000007fef5268760 Thread C:\Windows\system32\taskhost.exe [2248:2524] 000007feffff0000 Thread C:\Windows\system32\taskeng.exe [3048:1728] 000007feffff0000 Thread C:\Windows\system32\taskeng.exe [3048:3716] 000000001005e018 Thread C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [4548:4324] 000007feffff0000 Thread C:\Windows\system32\wbem\wmiprvse.exe [4152:4440] 000007feffff0000 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4328:2308] 0000000071af0000 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4328:6092] 000000006493f71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4328:5704] 000000006493f71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4328:5724] 0000000064935b1a Thread C:\Windows\system32\SearchIndexer.exe [6292:6288] 000007feffff0000 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4608:5076] 000007feffff0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----