Ginyas Browser Companion in Chrome Browser

PhattCasper · 26.03.2013, 18:23

Hallo Forum,

ich habe mir irgendwie das Addon Ginyas Browser Companion eingefangen. Achte immer auf irgendwelche Toolbar Software Sachen aber habe es irgendwie trotzdem bekommen. Es erscheint auf manchen Seiten ein Popup, welches mir Rabatte andrehen will. Anleitung zu Deinstallation beschreiben die Deaktivierung vom Addon in den Browser Erweiterungen und die Deinstallation in Systemsteuerung -> Programme Deinstallieren. Kann in beiden Listen aber keine Einträge finden. Außerdem habe ich Scans mit adwcleaner und Antimalwarebytes drüber laufen lassen. Das Problem habe ich dennoch weiterhin.

Hat jemand eine Idee, wie ich das wegbekomme?

Danke schon mal

M-K-D-B · 26.03.2013, 19:34

Mein Name ist Matthias und ich werde dir bei der Bereinigung deines Computers helfen.

Bitte beachte folgende Hinweise:

Eine Bereinigung ist mitunter mit viel Arbeit für dich verbunden. Es können mehrere Analyse- und Bereinigungsschritte erforderlich sein.
Abschließend entfernen wir wieder alle verwendeten Programme und ich gebe dir ein paar Tipps für die Zukunft mit auf den Weg.
Bei Anzeichen von illegaler Software wird der Support ohne Diskussion eingestellt.
Bitte arbeite alle Schritte in der vorgegebenen Reihefolge nacheinander ab.
Lies dir die Anleitungen sorgfältig durch. Solltest du Probleme haben, stoppe mit deiner Bearbeitung und beschreibe mir dein Problem so gut es geht.
Führe nur Scans durch, zu denen du von mir oder einem anderen Helfer aufgefordert wirst.
Bitte kein Crossposting (posten in mehreren Foren).
Installiere oder deinstalliere während der Bereinigung keine Software außer du wirst dazu aufgefordert.
Solltest du mir nicht innerhalb von 3 Tagen antworten, gehe ich davon aus, dass du keine Hilfe mehr benötigst. Dann lösche ich dein Thema aus meinem Abo.
Solltest du einmal länger abwesend sein, so gib mir bitte Bescheid!
Alle zu verwendenen Programme sind auf dem Desktop abzuspeichern und von dort zu starten!
Ich kann Dir niemals eine Garantie geben, dass auch ich alles finde. Eine Formatierung ist meist der schnellere und immer der sicherste Weg.
Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass Du clean bist.

Zitat:

Zitat von PhattCasper

Außerdem habe ich Scans mit adwcleaner und Antimalwarebytes drüber laufen lassen. Das Problem habe ich dennoch weiterhin.

Poste mir bitte alle Logdateien von AdwCleaner und Malwarebytes' Anti-Malware.

Schritt 1
Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop (falls noch nicht vorhanden).

Starte bitte die OTL.exe.
Oben findest Du ein Kästchen mit Ausgabe. Wähle bitte Standard Ausgabe.
Setze einen Haken bei Scanne alle Benutzer.
Unter Extra Registry, wähle bitte Use SafeList.
Kopiere nun den Inhalt aus der Codebox in die Textbox.

Code:

ATTFilter

activex
msconfig
CREATERESTOREPOINT

Schließe bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Scan Button.
Am Ende des Suchlaufs werden 2 Logdateien erstellt.
Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

Schritt 2
Downloade Dir bitte defogger von jpshortstuff auf Deinem Desktop.

Starte das Tool mit Doppelklick.
Klicke nun auf den Disable Button, um die Treiber gewisser Emulatoren zu deaktivieren.
Defogger wird dich fragen "Defogger will forcefully terminate and disable all CD Emulator related drivers and processes... Continue?" bestätige diese Sicherheitsabfrage mit Ja.
Wenn der Scan beendet wurde (Finished), klicke auf OK.
Defogger fordert gegebenfalls zum Neustart auf. Bestätige dies mit OK.
Defogger erstellt auf dem Desktop eine Logdatei mit dem Namen defogger_disable.txt. Poste deren Inhalt mit deiner nächsten Antwort.

Klicke den Re-enable Button nicht ohne Anweisung!

Schritt 3
Bitte lade dir

GMER herunter: (Dateiname zufällig)

Schließe alle anderen Programme, deaktiviere deinen Virenscanner und trenne den Rechner vom Internet bevor du GMER startest.
Sollte sich nach dem Start ein Fenster mit folgender Warnung öffnen:
WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Do you want to fully scan your system ?

Unbedingt auf "No" klicken.
Entferne rechts den Haken bei: IAT/EAT und Show All
Setze den Haken bei Quickscan und entferne ihn bei allen anderen Laufwerken.
Starte den Scan mit "Scan".
Mache nichts am Computer während der Scan läuft.
Wenn der Scan fertig ist klicke auf Save und speichere die Logfile unter Gmer.txt auf deinem Desktop. Mit "Ok" wird GMER beendet.

Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

Tauchen Probleme auf?

Probiere alternativ den abgesicherten Modus.
Erhältst du einen Bluescreen, dann entferne den Haken vor Devices.

Bitte poste mit deiner nächsten Antwort

die beiden Logdateien von OTL,
die Logdatei von DeFogger,
die Logdatei von GMER.

PhattCasper · 27.03.2013, 09:01

Vielen Dank für deine Antwort. Ich habe alle Schritte ausgeführt und die Logfiles unten angehängt.

AdwCleaner Log

Code:

ATTFilter

# AdwCleaner v2.115 - Datei am 26/03/2013 um 23:01:52 erstellt
# Aktualisiert am 17/03/2013 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzer : Hoof - HOOF-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Hoof\Desktop\adwcleaner (1).exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****


***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Google Chrome v25.0.1364.172

Datei : C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

-\\ Opera v12.1.1532.0

Datei : C:\Users\Hoof\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [963 octets] - [25/03/2013 20:20:22]
AdwCleaner[S2].txt - [1024 octets] - [25/03/2013 20:20:50]
AdwCleaner[S3].txt - [959 octets] - [26/03/2013 23:01:52]

########## EOF - C:\AdwCleaner[S3].txt - [1018 octets] ##########

Malwarebytes Anti Malware Log

Code:

ATTFilter

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.03.26.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Hoof :: HOOF-PC [Administrator]

26.03.2013 23:07:23
mbam-log-2013-03-26 (23-07-23).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 213294
Laufzeit: 3 Minute(n), 52 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

OTL Log

Code:

ATTFilter

OTL logfile created on: 26.03.2013 23:13:35 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Hoof\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,99 Gb Total Physical Memory | 6,32 Gb Available Physical Memory | 79,14% Memory free
15,98 Gb Paging File | 14,11 Gb Available in Paging File | 88,32% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 244,76 Gb Total Space | 81,10 Gb Free Space | 33,13% Space Free | Partition Type: NTFS
Drive D: | 686,65 Gb Total Space | 235,65 Gb Free Space | 34,32% Space Free | Partition Type: NTFS
Drive K: | 596,17 Gb Total Space | 289,70 Gb Free Space | 48,59% Space Free | Partition Type: NTFS
 
Computer Name: HOOF-PC | User Name: Hoof | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.03.26 23:12:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Hoof\Downloads\OTL.exe
PRC - [2013.03.22 08:46:09 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2013.03.22 08:44:23 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2013.03.22 08:44:22 | 000,385,248 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2013.03.18 16:42:09 | 000,066,872 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2013.03.12 12:08:06 | 002,074,768 | ---- | M] () -- C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
PRC - [2013.02.23 02:36:04 | 000,545,576 | ---- | M] (AnchorFree Inc.) -- C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
PRC - [2013.02.23 02:33:26 | 000,389,928 | ---- | M] () -- C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
PRC - [2013.02.23 02:31:52 | 001,278,760 | ---- | M] (AnchorFree Inc.) -- C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe
PRC - [2013.02.23 02:29:46 | 000,453,928 | ---- | M] (AnchorFree Inc.) -- C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
PRC - [2013.02.12 06:29:22 | 000,213,384 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe
PRC - [2012.11.13 14:08:08 | 003,825,176 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
PRC - [2012.11.13 14:07:24 | 000,168,384 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2012.11.13 14:07:20 | 001,369,624 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2012.11.13 14:07:16 | 001,103,392 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2011.08.29 14:35:40 | 000,645,048 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2011.06.06 11:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2000.01.01 01:00:00 | 000,285,240 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2000.01.01 01:00:00 | 000,072,280 | ---- | M] () -- C:\Windows\SysWOW64\XSrvSetup.exe
PRC - [2000.01.01 01:00:00 | 000,014,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013.03.18 16:13:26 | 000,361,472 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorUtil\dae0c509425789ea34a7ab08294c7418\IAStorUtil.ni.dll
MOD - [2013.03.18 16:13:25 | 000,027,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorDataMgrSvcInt#\c9ee0efa5a5af0f43466f31a3bade02b\IAStorDataMgrSvcInterfaces.ni.dll
MOD - [2013.03.18 16:13:25 | 000,026,112 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorCommon\3277336bc6044a297268f28c76f09ad1\IAStorCommon.ni.dll
MOD - [2012.11.13 14:06:32 | 000,158,624 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
MOD - [2012.11.13 14:06:30 | 000,108,960 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
MOD - [2012.11.13 14:06:28 | 000,554,400 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\VirtualTreesDXE150.bpl
MOD - [2012.11.13 14:06:28 | 000,528,288 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\JSDialogPack150.bpl
MOD - [2012.11.13 14:06:28 | 000,416,160 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
MOD - [2011.10.07 13:30:28 | 001,223,168 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.WorkflowServ#\ca8dcd604805753d6d742d2c144caa38\System.WorkflowServices.ni.dll
MOD - [2011.10.07 13:30:10 | 001,140,736 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel#\cf08a2d91835dfe4c0f7c4f754409cbd\System.ServiceModel.Discovery.ni.dll
MOD - [2011.10.07 13:30:10 | 000,369,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel#\895061a65bf856ec3374568e544c7fbd\System.ServiceModel.Routing.ni.dll
MOD - [2011.10.07 13:30:09 | 000,082,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel#\c126870c858c401080cfba0231dc7b1b\System.ServiceModel.Channels.ni.dll
MOD - [2011.10.07 13:30:02 | 001,392,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel#\73a22298fcec16b2a565e042b97695a3\System.ServiceModel.Activities.ni.dll
MOD - [2011.10.07 13:30:00 | 001,072,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\64959e30802b421e783abb8d734e0930\System.IdentityModel.ni.dll
MOD - [2011.10.07 13:29:59 | 018,058,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\e026d28c52a93326c2103249f4f50974\System.ServiceModel.ni.dll
MOD - [2011.10.07 13:29:49 | 001,086,464 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel#\4b39d989ad9ef2f5931b1f81813b3468\System.ServiceModel.Web.ni.dll
MOD - [2011.10.07 13:28:43 | 001,021,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Dura#\9fa53e9a7dd7a6755481754f5b435512\System.Runtime.DurableInstancing.ni.dll
MOD - [2011.10.07 13:28:42 | 002,647,040 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Seri#\40bbf4532264a9d725820685441c9b63\System.Runtime.Serialization.ni.dll
MOD - [2011.10.07 13:28:42 | 000,143,360 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\e7f733c3283e5553863978bdb65e9c32\SMDiagnostics.ni.dll
MOD - [2011.10.07 13:28:25 | 001,782,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\9096e4303051575062197a0fc2eab9ae\System.Xaml.ni.dll
MOD - [2011.10.07 08:22:01 | 013,138,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\9706eca0afd01652ad6f1eb3bbe4fe8d\System.Windows.Forms.ni.dll
MOD - [2011.10.07 08:21:58 | 007,069,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\d9fd8c6bd339b11c54a968adf61a9957\System.Core.ni.dll
MOD - [2011.10.07 08:21:56 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\334af79d895a879e50187796755e9c38\System.Xml.ni.dll
MOD - [2011.10.07 08:21:54 | 001,652,736 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\8b29b24f9de481b6df2c3fdc35ea9177\System.Drawing.ni.dll
MOD - [2011.10.07 08:21:53 | 000,982,528 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2213eddb1f1436502a472b946dec1017\System.Configuration.ni.dll
MOD - [2011.10.07 08:21:52 | 009,086,464 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e130bb8cf2f1f63471c25b1c48fbef18\System.ni.dll
MOD - [2011.10.07 08:20:23 | 014,407,680 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\93e7df09dacd5fef442cc22d28efec83\mscorlib.ni.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2012.12.19 20:56:00 | 000,240,640 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011.11.21 15:10:10 | 000,036,160 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- C:\Windows\SysNative\uxtuneup.dll -- (UxTuneUp)
SRV:64bit: - [2009.07.14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2013.03.22 08:46:09 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2013.03.22 08:44:23 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2013.03.18 16:42:09 | 000,066,872 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2013.03.15 17:29:10 | 000,543,656 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2013.03.12 22:41:31 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.03.12 12:08:06 | 002,074,768 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe -- (DragonUpdater)
SRV - [2013.02.23 02:36:04 | 000,545,576 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe -- (hshld)
SRV - [2013.02.23 02:33:26 | 000,389,928 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2013.02.23 02:29:46 | 000,453,928 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv)
SRV - [2013.02.22 02:54:48 | 000,078,512 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE -- (HssTrayService)
SRV - [2012.11.08 00:37:39 | 002,828,408 | ---- | M] (COMODO) [Auto | Running] -- C:\Programme\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2012.10.23 22:59:18 | 000,230,416 | ---- | M] (Nitro PDF Software) [Disabled | Stopped] -- C:\Programme\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe -- (NitroReaderDriverReadSpool3)
SRV - [2012.10.02 12:13:44 | 003,064,000 | ---- | M] (Skype Technologies S.A.) [Disabled | Stopped] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012.07.27 12:26:54 | 000,008,192 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysWOW64\srvany.exe -- (KMService)
SRV - [2012.06.07 18:12:14 | 000,160,944 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.02.16 09:44:51 | 000,607,040 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2012.01.04 12:32:36 | 000,718,888 | ---- | M] (Nokia) [Disabled | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2011.12.15 18:29:42 | 000,014,848 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2011.11.21 15:12:56 | 001,403,200 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe -- (TuneUp.UtilitiesSvc)
SRV - [2011.11.21 15:10:04 | 000,030,016 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- C:\Windows\SysWOW64\uxtuneup.dll -- (UxTuneUp)
SRV - [2011.08.31 19:20:38 | 000,415,072 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Dyyno Broadcaster\launcherd.exe -- (Dyyno Launcher)
SRV - [2011.08.29 14:35:40 | 000,645,048 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2011.06.06 11:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010.03.18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010.01.09 19:34:24 | 004,925,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2010.01.09 19:20:56 | 000,174,440 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose64)
SRV - [2009.09.11 12:33:54 | 000,009,216 | ---- | M] (Vodafone) [Disabled | Stopped] -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2009.08.18 11:48:02 | 002,291,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2000.01.01 01:00:00 | 000,072,280 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\XSrvSetup.exe -- (JMB36X)
SRV - [2000.01.01 01:00:00 | 000,014,904 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\A-FF Find and Mount\slicedisk-x64.sys -- (SliceDisk5)
DRV:64bit: - [2013.03.23 09:00:01 | 000,015,712 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SWDUMon.sys -- (SWDUMon)
DRV:64bit: - [2013.03.22 08:47:21 | 000,027,800 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2013.03.22 08:47:20 | 000,129,216 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2013.03.22 08:47:18 | 000,099,912 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2013.02.22 02:43:20 | 000,046,280 | ---- | M] (AnchorFree Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\hssdrv6.sys -- (HssDRV6)
DRV:64bit: - [2013.02.14 18:50:38 | 000,066,728 | ---- | M] (Eugene V. Muzychenko) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vrtaucbl.sys -- (EuMusDesignVirtualAudioCableWdm)
DRV:64bit: - [2013.01.05 04:48:36 | 000,042,328 | ---- | M] (Anchorfree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\taphss6.sys -- (taphss6)
DRV:64bit: - [2012.12.19 21:48:48 | 011,278,336 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2012.12.19 20:32:54 | 000,552,960 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2012.11.06 12:11:52 | 000,096,256 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2012.08.20 13:48:50 | 000,019,032 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\pwdrvio.sys -- (pwdrvio)
DRV:64bit: - [2012.08.20 13:48:48 | 000,012,384 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\pwdspio.sys -- (pwdspio)
DRV:64bit: - [2012.04.06 19:15:10 | 000,038,632 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss)
DRV:64bit: - [2012.04.02 01:31:43 | 000,047,208 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tbhsd.sys -- (tbhsd)
DRV:64bit: - [2011.12.15 18:29:42 | 000,031,232 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:64bit: - [2011.11.01 09:07:26 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltjx64.sys -- (UsbserFilt)
DRV:64bit: - [2011.11.01 09:07:26 | 000,009,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys -- (upperdev)
DRV:64bit: - [2011.11.01 09:07:24 | 000,027,136 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbox64.sys -- (nmwcdc)
DRV:64bit: - [2011.11.01 09:07:24 | 000,019,968 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ccdcmbx64.sys -- (nmwcd)
DRV:64bit: - [2011.08.30 08:53:14 | 000,314,016 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt)
DRV:64bit: - [2011.08.30 08:53:13 | 000,043,680 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt)
DRV:64bit: - [2011.08.29 14:35:40 | 000,022,264 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpnva64.sys -- (vpnva)
DRV:64bit: - [2011.08.23 07:52:41 | 000,270,912 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2011.07.29 12:54:56 | 000,016,776 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\epmntdrv.sys -- (epmntdrv)
DRV:64bit: - [2011.07.29 12:54:56 | 000,009,096 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\EuGdiDrv.sys -- (EuGdiDrv)
DRV:64bit: - [2011.03.28 09:52:52 | 000,053,840 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\uimx64.sys -- (UimBus)
DRV:64bit: - [2011.03.28 09:52:50 | 000,528,464 | ---- | M] (Paragon) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\Uim_IMx64.sys -- (Uim_IM)
DRV:64bit: - [2010.11.20 04:33:36 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.20 04:32:48 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010.11.20 04:32:48 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.11.20 02:07:06 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010.11.20 01:43:58 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser)
DRV:64bit: - [2010.11.19 03:34:26 | 000,181,248 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2010.11.19 03:34:26 | 000,080,384 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2010.04.12 09:55:00 | 000,091,568 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\scdemu.sys -- (SCDEmu)
DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 02:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.29 18:00:50 | 000,132,608 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbnet.sys -- (ewusbnet)
DRV:64bit: - [2009.06.29 18:00:50 | 000,116,096 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbfake.sys -- (hwusbfake)
DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.04.09 13:38:24 | 000,116,864 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbmdm.sys -- (hwdatacard)
DRV:64bit: - [2009.03.18 15:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)
DRV:64bit: - [2008.08.28 10:44:42 | 000,025,600 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys -- (pccsmcfd)
DRV:64bit: - [2000.01.01 01:00:00 | 000,685,672 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2000.01.01 01:00:00 | 000,652,344 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStorA.sys -- (iaStorA)
DRV:64bit: - [2000.01.01 01:00:00 | 000,120,920 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2000.01.01 01:00:00 | 000,028,216 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStorF.sys -- (iaStorF)
DRV - [2013.01.15 23:25:41 | 000,019,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\RivaTuner v2.24\RivaTuner64.sys -- (RivaTuner64)
DRV - [2011.07.29 12:54:56 | 000,014,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\epmntdrv.sys -- (epmntdrv)
DRV - [2011.07.29 12:54:56 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2009.10.14 07:24:44 | 000,011,856 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys -- (TuneUpUtilitiesDrv)
DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = 
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 04 A6 23 99 58 F5 CC 01  [binary data]
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\..\SearchScopes\{26025DB2-B097-4B94-8196-87425543D45B}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ATU3&o=15380&src=crm&q={searchTerms}&locale=&apn_ptnrs=UJ&apn_dtid=YYYYYYYYDE&apn_uid=050255d6-383c-491e-9a39-8278963edb93&apn_sauid=B093382A-8ABA-49F5-A84D-146F3D7A0411
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;localhost;10.*;192.168.*;127.0.0.1:895;127.0.0.1:896
IE - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.uni-hamburg.de:3128
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.0: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nitropdf.com/NitroPDF: C:\Program Files (x86)\Nitro\Reader 3\npnitromozilla.dll (Nitro PDF)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011.08.24 00:32:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fe_9.0@nokia.com: C:\Program Files (x86)\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_9.0 [2012.04.30 00:09:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\te_9.0@nokia.com: C:\Program Files (x86)\Nokia\Nokia Suite\Connectors\Thunderbird Connector\ThunderbirdExtension_9.0 [2012.04.30 00:09:58 | 000,000,000 | ---D | M]
 
[2013.03.19 22:22:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 7 U9 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Nitro PDF plugin for Firefox and Chrome (Enabled) = C:\Program Files (x86)\Nitro\Reader 3\npnitromozilla.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility (Enabled) = C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
CHR - plugin: Java Deployment Toolkit 7.0.90.5 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - Extension: WOT = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp\1.4.10_0\
CHR - Extension: Adblock Plus = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.4_0\
CHR - Extension: 1-ClickWeather for Chrome = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgmbighdoomjmebfbgplfmhcdbomjkoa\1.1.0.3_0\
CHR - Extension: Stealthy = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieaebnkibonmpbhdaanjkmedikadnoje\3.0.1_0\
CHR - Extension: Auto Replay for YouTube = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\kanbnempkjnhadplbfgdaagijdbdbjeb\1.9.25_0\
CHR - Extension: Lyrics for YouTube\u2122 = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\kggldhblikkmmnbkeococbeoaacgelkf\0.20_0\
CHR - Extension: Auto HD For YouTube = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\koiaokdomkpjdgniimnkhgbilbjgpeak\3.7.7.1_0\
CHR - Extension: Stop Autoplay for YouTube. = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgdfnbpkmkkdhgidgcpdkgpdlfjcgnnh\0.11.5.24_0\
CHR - Extension: Google Mail-Checker = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\4.4.0_0\
CHR - Extension: Anatronica - 3D Interactive Anatomy = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\nalpooddpdnhjicpjgnhaihnnfnmbpee\1.1.4_0\
CHR - Extension: Popout for YouTube\u2122 = C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Extensions\pofekaindcmmojfnfgbpklepkjfilcep\4.2.8_0\
 
O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2:64bit: - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe (Intel Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [SDTray] C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000..\Run: []  File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-1699689582-2667143130-2167436585-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Programme\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8:64bit: - Extra context menu item: Free YouTube Download - C:\Users\Hoof\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm File not found
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Hoof\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm File not found
O8:64bit: - Extra context menu item: Se&nd to OneNote - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Programme\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Free YouTube Download - C:\Users\Hoof\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm File not found
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Hoof\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab (Java Plug-in 1.6.0_34)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_34-windows-i586.cab (Java Plug-in 10.9.2)
O16 - DPF: CC679CB8-DC4B-458B-B817-D447B3B6AC31 vpnweb.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6F10A6DA-D7DA-4FD2-A658-9D4854BCFE81}: DhcpNameServer = 139.7.30.126 139.7.30.125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{743CEE34-0736-4D5F-A147-C69F79A2B377}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\ms-help - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28:64bit: - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.06.20 22:27:36 | 000,000,104 | RHS- | M] () - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{388b0582-937e-11e0-81e1-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{388b0582-937e-11e0-81e1-806e6f6e6963}\Shell\AutoRun\command - "" = E:\shelexec.exe Pfeifer_Ruecken.pdf
O33 - MountPoints2\{84f9214a-3b99-11e1-be5f-1c6f653c94c2}\Shell - "" = AutoRun
O33 - MountPoints2\{84f9214a-3b99-11e1-be5f-1c6f653c94c2}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{84f9219d-3b99-11e1-be5f-1c6f653c94c2}\Shell - "" = AutoRun
O33 - MountPoints2\{84f9219d-3b99-11e1-be5f-1c6f653c94c2}\Shell\AutoRun\command - "" = G:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{894d4ddf-9380-11e0-bd0c-1c6f653c94c2}\Shell - "" = AutoRun
O33 - MountPoints2\{894d4ddf-9380-11e0-bd0c-1c6f653c94c2}\Shell\AutoRun\command - "" = I:\steambackup.EXE
O33 - MountPoints2\{9be3fd73-3d41-11e1-8bbb-001e101fb681}\Shell - "" = AutoRun
O33 - MountPoints2\{9be3fd73-3d41-11e1-8bbb-001e101fb681}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\Autorun.exe
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP
 
MsConfig:64bit - StartUpFolder: C:^Users^Hoof^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk - C:\Users\Hoof\AppData\Roaming\Dropbox\bin\Dropbox.exe - (Dropbox, Inc.)
MsConfig:64bit - StartUpReg: BCSSync - hkey= - key= - C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
MsConfig:64bit - StartUpReg: DAEMON Tools Lite - hkey= - key= - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
MsConfig:64bit - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
MsConfig:64bit - StartUpReg: Eraser - hkey= - key= - C:\Programme\Eraser\Eraser.exe (The Eraser Project)
MsConfig:64bit - StartUpReg: LogMeIn Hamachi Ui - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: NokiaMServer - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: NokiaOviSuite2 - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: PDFPrint - hkey= - key= - C:\Program Files (x86)\PDF24\pdf24.exe (Geek Software GmbH)
MsConfig:64bit - StartUpReg: PWRISOVM.EXE - hkey= - key= - C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
MsConfig:64bit - StartUpReg: SandboxieControl - hkey= - key= -  File not found
MsConfig:64bit - StartUpReg: Steam - hkey= - key= - C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
MsConfig:64bit - State: "services" - Reg Error: Key error.
MsConfig:64bit - State: "startup" - Reg Error: Key error.
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.03.26 11:15:07 | 000,000,000 | ---D | C] -- C:\Users\Hoof\Desktop\Bin64
[2013.03.26 11:02:49 | 000,000,000 | ---D | C] -- C:\Users\Hoof\Desktop\Neuer Ordner
[2013.03.25 19:44:24 | 000,017,272 | ---- | C] (Safer Networking Limited) -- C:\Windows\SysNative\sdnclean64.exe
[2013.03.25 19:44:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy 2
[2013.03.22 16:10:39 | 000,000,000 | ---D | C] -- C:\Users\Hoof\AppData\Roaming\Avira
[2013.03.22 16:04:46 | 000,129,216 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\SysNative\drivers\avipbb.sys
[2013.03.22 16:04:46 | 000,099,912 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\SysNative\drivers\avgntflt.sys
[2013.03.22 16:04:46 | 000,027,800 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\SysNative\drivers\avkmgr.sys
[2013.03.22 16:03:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2013.03.22 16:03:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Avira
[2013.03.22 09:56:06 | 000,000,000 | ---D | C] -- C:\Users\Hoof\Documents\BioWare
[2013.03.20 18:49:10 | 000,000,000 | ---D | C] -- C:\Users\Hoof\AppData\Roaming\Malwarebytes
[2013.03.20 18:49:03 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.03.20 18:49:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.03.20 18:49:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.03.20 11:24:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft XNA
[2013.03.19 22:24:07 | 000,000,000 | ---D | C] -- C:\Users\Hoof\Local Settings
[2013.03.19 07:16:33 | 000,000,000 | ---D | C] -- C:\Users\Hoof\AppData\Roaming\Intel Corporation
[2013.03.19 07:11:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Intel Corporation
[2013.03.18 18:30:48 | 000,000,000 | ---D | C] -- C:\Users\Hoof\Documents\Crayon Physics Deluxe
[2013.03.18 18:29:43 | 000,000,000 | ---D | C] -- C:\Users\Hoof\AppData\Roaming\Crayon Physics Deluxe
[2013.03.18 16:55:06 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\URTTEMP
[2013.03.18 16:13:27 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel
[2013.03.18 16:12:57 | 000,000,000 | ---D | C] -- C:\Intel
[2013.03.18 16:12:56 | 000,652,344 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\iaStorA.sys
[2013.03.18 16:12:56 | 000,028,216 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\iaStorF.sys
[2013.03.16 09:29:35 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\RTCOM
[2013.03.16 09:29:35 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2013.03.16 09:28:59 | 002,080,120 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\WavesGUILib64.dll
[2013.03.16 09:28:58 | 001,361,336 | ---- | C] (TOSHIBA Corporation) -- C:\Windows\SysNative\tosade.dll
[2013.03.16 09:28:58 | 000,836,544 | ---- | C] (TOSHIBA Corporation) -- C:\Windows\SysNative\tadefxapo264.dll
[2013.03.16 09:28:58 | 000,155,888 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSWOW64.dll
[2013.03.16 09:28:58 | 000,148,416 | ---- | C] (TOSHIBA Corporation) -- C:\Windows\SysNative\tadefxapo.dll
[2013.03.16 09:28:58 | 000,065,944 | ---- | C] (TOSHIBA CORPORATION.) -- C:\Windows\SysNative\tepeqapo64.dll
[2013.03.16 09:28:57 | 000,518,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSX64.dll
[2013.03.16 09:28:57 | 000,211,184 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSH64.dll
[2013.03.16 09:28:57 | 000,198,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSHP64.dll
[2013.03.16 09:28:56 | 000,772,224 | ---- | C] (Sony Corporation) -- C:\Windows\SysNative\SFSS_APO.dll
[2013.03.16 09:28:55 | 002,744,464 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtPgEx64.dll
[2013.03.16 09:28:55 | 001,652,960 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RTSnMg64.cpl
[2013.03.16 09:28:55 | 000,331,880 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtlCPAPI64.dll
[2013.03.16 09:28:55 | 000,221,024 | ---- | C] (Synopsys, Inc.) -- C:\Windows\SysNative\SFNHK64.dll
[2013.03.16 09:28:55 | 000,081,248 | ---- | C] (Synopsys, Inc.) -- C:\Windows\SysNative\SFCOM64.dll
[2013.03.16 09:28:55 | 000,078,688 | ---- | C] (Synopsys, Inc.) -- C:\Windows\SysNative\SFAPO64.dll
[2013.03.16 09:28:55 | 000,074,064 | ---- | C] (Virage Logic Corporation / Sonic Focus) -- C:\Windows\SysWow64\SFCOM.dll
[2013.03.16 09:28:54 | 000,149,608 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkCfg64.dll
[2013.03.16 09:28:54 | 000,014,952 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkCoLDR64.dll
[2013.03.16 09:28:53 | 003,673,232 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkAPO64.dll
[2013.03.16 09:28:53 | 001,273,488 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RTCOM64.dll
[2013.03.16 09:28:53 | 000,881,808 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkApi64.dll
[2013.03.16 09:28:53 | 000,375,128 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEP64A.dll
[2013.03.16 09:28:53 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DHT64.dll
[2013.03.16 09:28:53 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DAA64.dll
[2013.03.16 09:28:53 | 000,204,120 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEED64A.dll
[2013.03.16 09:28:53 | 000,101,208 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEL64A.dll
[2013.03.16 09:28:53 | 000,078,680 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEG64A.dll
[2013.03.16 09:28:52 | 011,929,600 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RCoRes64.dat
[2013.03.16 09:28:52 | 000,126,176 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RCoInstII64.dll
[2013.03.16 09:28:51 | 007,164,176 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEP64A.dll
[2013.03.16 09:28:51 | 000,141,584 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEL64A.dll
[2013.03.16 09:28:50 | 000,434,960 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EED64A.dll
[2013.03.16 09:28:50 | 000,124,176 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEA64A.dll
[2013.03.16 09:28:50 | 000,075,024 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEG64A.dll
[2013.03.16 09:28:49 | 009,546,616 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioRealtek64.dll
[2013.03.16 09:28:49 | 001,460,600 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioRealtek264.dll
[2013.03.16 09:28:49 | 000,394,616 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxVolumeSDAPO.dll
[2013.03.16 09:28:48 | 002,028,920 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioEQ64.dll
[2013.03.16 09:28:48 | 000,869,752 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPOShell64.dll
[2013.03.16 09:28:48 | 000,394,616 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPO30.dll
[2013.03.16 09:28:48 | 000,318,808 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPO20.dll
[2013.03.16 09:28:47 | 000,603,984 | ---- | C] (Knowles Acoustics ) -- C:\Windows\SysNative\KAAPORT64.dll
[2013.03.16 09:28:43 | 002,714,720 | ---- | C] (Fortemedia Corporation) -- C:\Windows\SysNative\FMAPO64.dll
[2013.03.16 09:28:43 | 000,693,352 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSVoiceClarityDLL64.dll
[2013.03.16 09:28:43 | 000,501,192 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSU2PLFX64.dll
[2013.03.16 09:28:43 | 000,487,368 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSU2PGFX64.dll
[2013.03.16 09:28:43 | 000,415,688 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSU2PREC64.dll
[2013.03.16 09:28:42 | 001,756,264 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSS2SpeakerDLL64.dll
[2013.03.16 09:28:42 | 001,568,360 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSS2HeadphoneDLL64.dll
[2013.03.16 09:28:42 | 000,712,296 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSSymmetryDLL64.dll
[2013.03.16 09:28:41 | 001,486,952 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSBoostDLL64.dll
[2013.03.16 09:28:41 | 000,728,680 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSBassEnhancementDLL64.dll
[2013.03.16 09:28:41 | 000,491,112 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSNeoPCDLL64.dll
[2013.03.16 09:28:41 | 000,432,744 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSLimiterDLL64.dll
[2013.03.16 09:28:41 | 000,428,648 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSGainCompensatorDLL64.dll
[2013.03.16 09:28:41 | 000,242,792 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSLFXAPO64.dll
[2013.03.16 09:28:41 | 000,242,792 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSGFXAPO64.dll
[2013.03.16 09:28:41 | 000,241,768 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSGFXAPONS64.dll
[2013.03.16 09:28:40 | 000,202,336 | ---- | C] (Andrea Electronics Corporation) -- C:\Windows\SysNative\AERTAC64.dll
[2013.03.16 09:28:40 | 000,110,592 | ---- | C] (Real Sound Lab SIA) -- C:\Windows\SysNative\CONEQMSAPOGUILibrary.dll
[2013.03.16 09:28:40 | 000,108,640 | ---- | C] (Andrea Electronics Corporation) -- C:\Windows\SysNative\AERTAR64.dll
[2013.03.15 19:05:08 | 000,000,000 | ---D | C] -- C:\Users\Hoof\Desktop\Epic-Scarf_Face-2009-FTD
[2013.03.14 20:26:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StarCraft II
[2013.03.14 20:26:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Battle.net
[2013.03.14 20:12:37 | 000,000,000 | ---D | C] -- C:\Users\Hoof\Documents\StarCraft II
[2013.03.14 20:12:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2013.03.14 20:12:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II
[2013.03.13 10:53:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\audiograbber
[2013.03.06 09:48:44 | 000,000,000 | ---D | C] -- C:\Users\Hoof\AppData\Roaming\Trine2
[2013.03.05 20:29:41 | 000,000,000 | ---D | C] -- C:\Users\Hoof\AppData\Roaming\runic games
[2013.03.05 20:26:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Torchlight
[2013.03.05 20:25:57 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Runic
[2013.03.05 18:53:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JoWooD
[2013.03.05 18:51:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Torchlight
[2013.03.05 10:12:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monkey Island™ Special Edition Collection
[2013.03.02 18:02:41 | 001,942,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DCompiler_39.dll
[2013.03.02 18:02:41 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\D3DCompiler_39.dll
[2013.03.02 18:02:41 | 000,540,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3dx10_39.dll
[2013.03.02 18:02:41 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3dx10_39.dll
[2013.03.02 18:02:40 | 004,992,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\D3DX9_39.dll
[2013.03.02 18:00:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trine
[4 C:\Users\Hoof\Desktop\*.tmp files -> C:\Users\Hoof\Desktop\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.03.26 23:14:08 | 000,014,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.03.26 23:14:08 | 000,014,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.03.26 23:06:26 | 000,001,102 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.03.26 23:06:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.03.26 18:41:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.26 18:34:01 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.03.26 18:16:12 | 000,609,993 | ---- | M] () -- C:\Users\Hoof\Desktop\adwcleaner (1).exe
[2013.03.26 16:27:29 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.03.26 11:04:56 | 025,553,882 | ---- | M] () -- C:\Users\Hoof\Desktop\Bin64.zip
[2013.03.25 20:22:49 | 000,411,200 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.03.25 19:44:28 | 000,002,177 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2013.03.25 09:36:01 | 000,233,888 | ---- | M] () -- C:\Users\Hoof\Desktop\aok.pdf
[2013.03.24 10:47:36 | 001,654,042 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.03.24 10:47:36 | 000,711,798 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.03.24 10:47:36 | 000,664,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.03.24 10:47:36 | 000,154,388 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.03.24 10:47:36 | 000,126,438 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.03.23 23:45:13 | 000,024,596 | ---- | M] () -- C:\Users\Hoof\Desktop\STEAM.pdf
[2013.03.23 11:18:08 | 000,000,462 | ---- | M] () -- C:\Windows\tasks\SlimDrivers Scan.job
[2013.03.23 09:23:33 | 000,365,019 | ---- | M] () -- C:\Users\Hoof\Desktop\Barmer.pdf
[2013.03.23 09:23:08 | 000,233,844 | ---- | M] () -- C:\Users\Hoof\Desktop\Techniker Krankenkasse.pdf
[2013.03.23 09:00:01 | 000,015,712 | ---- | M] () -- C:\Windows\SysNative\drivers\SWDUMon.sys
[2013.03.22 08:47:21 | 000,027,800 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\SysNative\drivers\avkmgr.sys
[2013.03.22 08:47:20 | 000,129,216 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\SysNative\drivers\avipbb.sys
[2013.03.22 08:47:18 | 000,099,912 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\SysNative\drivers\avgntflt.sys
[2013.03.19 07:11:06 | 001,678,782 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013.03.18 16:42:20 | 000,103,736 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2013.03.18 16:42:09 | 000,669,184 | ---- | M] () -- C:\Windows\SysWow64\pbsvc.exe
[2013.03.18 16:42:09 | 000,066,872 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2013.03.18 07:50:58 | 000,281,688 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2013.03.18 07:50:58 | 000,281,688 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2013.03.14 09:10:21 | 000,001,383 | -H-- | M] () -- C:\Windows\EPMBatch.ept
[2013.03.13 10:53:59 | 000,000,034 | ---- | M] () -- C:\Windows\cdplayer.ini
[2013.03.12 22:41:31 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013.03.12 22:41:31 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013.03.12 21:31:15 | 000,056,072 | ---- | M] (COMODO CA Limited) -- C:\Windows\SysNative\certsentry.dll
[2013.03.12 21:31:15 | 000,047,368 | ---- | M] (COMODO CA Limited) -- C:\Windows\SysWow64\certsentry.dll
[4 C:\Users\Hoof\Desktop\*.tmp files -> C:\Users\Hoof\Desktop\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.03.26 18:16:10 | 000,609,993 | ---- | C] () -- C:\Users\Hoof\Desktop\adwcleaner (1).exe
[2013.03.26 16:27:29 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.03.26 11:14:58 | 025,553,882 | ---- | C] () -- C:\Users\Hoof\Desktop\Bin64.zip
[2013.03.25 19:44:28 | 000,002,189 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2013.03.25 19:44:28 | 000,002,177 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2013.03.25 09:36:01 | 000,233,888 | ---- | C] () -- C:\Users\Hoof\Desktop\aok.pdf
[2013.03.23 23:45:11 | 000,024,596 | ---- | C] () -- C:\Users\Hoof\Desktop\STEAM.pdf
[2013.03.23 09:23:33 | 000,365,019 | ---- | C] () -- C:\Users\Hoof\Desktop\Barmer.pdf
[2013.03.23 09:23:08 | 000,233,844 | ---- | C] () -- C:\Users\Hoof\Desktop\Techniker Krankenkasse.pdf
[2013.03.18 16:42:09 | 000,669,184 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe
[2013.03.16 09:28:53 | 000,394,185 | ---- | C] () -- C:\Windows\SysNative\drivers\RTAIODAT.DAT
[2013.03.14 09:03:08 | 000,001,383 | -H-- | C] () -- C:\Windows\EPMBatch.ept
[2013.03.13 10:53:59 | 000,000,034 | ---- | C] () -- C:\Windows\cdplayer.ini
[2013.01.13 08:34:40 | 000,072,280 | ---- | C] () -- C:\Windows\SysWow64\XSrvSetup.exe
[2012.10.15 12:33:35 | 002,469,760 | ---- | C] () -- C:\Windows\SysWow64\BootMan.exe
[2012.10.15 12:33:35 | 000,019,840 | ---- | C] () -- C:\Windows\SysWow64\EuEpmGdi.dll
[2012.10.15 12:33:34 | 000,086,408 | ---- | C] () -- C:\Windows\SysWow64\setupempdrv03.exe
[2012.10.15 12:33:34 | 000,014,216 | ---- | C] () -- C:\Windows\SysWow64\epmntdrv.sys
[2012.10.15 12:33:34 | 000,008,456 | ---- | C] () -- C:\Windows\SysWow64\EuGdiDrv.sys
[2012.10.08 17:21:08 | 000,001,479 | ---- | C] () -- C:\Users\Hoof\AppData\Local\recently-used.xbel
[2012.09.16 16:56:06 | 000,000,551 | ---- | C] () -- C:\Users\Hoof\AppData\Roaming\AutoGK.ini
[2012.06.24 19:01:56 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\grcauth2.dll
[2012.06.24 19:01:56 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\grcauth1.dll
[2012.06.24 19:01:56 | 000,000,100 | ---- | C] () -- C:\Windows\SysWow64\prsgrc.dll
[2012.05.02 13:58:10 | 000,029,184 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2012.04.30 11:24:58 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2012.04.25 14:33:38 | 000,001,274 | ---- | C] () -- C:\Windows\scummvm.ini
[2012.04.22 09:52:01 | 000,484,352 | ---- | C] () -- C:\Windows\SysWow64\lame_enc.dll
[2012.02.15 03:36:36 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012.02.15 03:36:36 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2012.01.28 16:01:58 | 000,008,192 | ---- | C] () -- C:\Windows\SysWow64\srvany.exe
[2011.12.07 10:53:18 | 000,000,236 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2011.12.03 00:53:46 | 000,007,631 | ---- | C] () -- C:\Users\Hoof\AppData\Local\Resmon.ResmonCfg
[2011.12.01 08:23:44 | 000,000,000 | ---- | C] () -- C:\Users\Hoof\AppData\Local\{B83F378D-F334-447D-B849-84003D05BB00}
[2011.12.01 08:07:21 | 000,000,000 | ---- | C] () -- C:\Users\Hoof\AppData\Local\{FE3E17BC-00CA-4FF8-B955-C9F56D9B6594}
[2011.10.25 21:21:34 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\OVDecoder.dll
[2011.09.28 16:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011.09.19 14:03:40 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\rtvcvfw32.dll
[2011.09.12 23:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.08.03 18:56:21 | 000,007,680 | ---- | C] () -- C:\Users\Hoof\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.07.21 10:47:58 | 000,000,167 | ---- | C] () -- C:\Windows\ODBC.INI
[2011.06.16 11:32:07 | 001,678,782 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.06.15 13:07:15 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\clauth2.dll
[2011.06.15 13:07:15 | 000,001,024 | ---- | C] () -- C:\Windows\SysWow64\clauth1.dll
[2011.06.15 13:07:15 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\ssprs.dll
[2011.06.15 13:07:15 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\serauth2.dll
[2011.06.15 13:07:15 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\serauth1.dll
[2011.06.15 13:07:15 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\nsprs.dll
[2011.06.15 13:06:27 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll
[2011.06.15 13:06:27 | 000,000,336 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll
[2011.06.13 17:57:15 | 000,103,736 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011.06.13 17:57:13 | 000,066,872 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011.06.10 17:42:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2010.11.20 04:27:26 | 014,174,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010.11.20 03:21:20 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 03:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

Fortsetzung folgt

PhattCasper · 27.03.2013, 09:03

Fortsetzung

OTL Extras Log

Code:

ATTFilter

OTL Extras logfile created on: 26.03.2013 23:13:35 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Hoof\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,99 Gb Total Physical Memory | 6,32 Gb Available Physical Memory | 79,14% Memory free
15,98 Gb Paging File | 14,11 Gb Available in Paging File | 88,32% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 244,76 Gb Total Space | 81,10 Gb Free Space | 33,13% Space Free | Partition Type: NTFS
Drive D: | 686,65 Gb Total Space | 235,65 Gb Free Space | 34,32% Space Free | Partition Type: NTFS
Drive K: | 596,17 Gb Total Space | 289,70 Gb Free Space | 48,59% Space Free | Partition Type: NTFS
 
Computer Name: HOOF-PC | User Name: Hoof | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [ID3-TagIT] -- "C:\Program Files (x86)\ID3-TagIT 3\ID3-TagIT.exe" "/P=%1" ( )
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [ID3-TagIT] -- "C:\Program Files (x86)\ID3-TagIT 3\ID3-TagIT.exe" "/P=%1" ( )
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{115541E6-2F3E-4D48-A9C8-B4C8ED531D09}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{13AB8B2F-B191-4CE2-9AC0-E881AAE2E555}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe | 
"{619E0645-A4A2-40B3-895E-B58F45C98FBE}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe | 
"{73DD29C0-94C9-4F42-A206-1D8ED749FE9A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{D956050F-9E64-47C1-A4E2-0C1BD9AD1888}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{001696AA-C6D8-406D-A21A-49098E5FFFCC}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\samorost 2\samorost2.exe | 
"{002BEC14-3432-4540-9AE3-5D1EC55BE821}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aquaria\aquaria.exe | 
"{00E813B6-1024-47A2-84E0-E24D1B8BBC75}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_specify_properties.bat | 
"{031A843D-E0C9-4F20-AEAB-04B9CFD8D3CE}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\world of goo\worldofgoo.exe | 
"{04313ABB-7FC0-49D6-B883-16547CDEAA1B}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magical drop v\magicaldropv.exe | 
"{096411F4-7921-444E-B76F-F7220BB909E1}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\osmos\osmos.exe | 
"{0B2A2C57-2B51-475D-BCD6-2C4813CADD97}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\antichamber\binaries\win32\udk.exe | 
"{0FA31BBA-3D48-4CB8-B14F-23BF5E42E431}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe | 
"{165A46CE-DD40-4D93-BBF2-61AA08F27126}" = protocol=17 | dir=in | app=c:\program files (x86)\ea games\battlefield 2\bf2.exe | 
"{16B75E32-84C9-447F-B893-A56096F6CEAB}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\amnesia the dark descent\launcher.exe | 
"{17B4C708-06DE-4B4D-89A4-BCC1FA678971}" = protocol=17 | dir=in | app=c:\program files (x86)\dyyno broadcaster\dppm_source.exe | 
"{1858CC4C-83B9-42C4-9365-7C93AF4993F0}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\data\encyclopedia\how_to_play.html | 
"{1945765D-2656-4A0B-8BF2-5E267874D73E}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | 
"{19FE45FA-EA92-4E94-8C97-E4B34819BA20}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\defcon\defcon.exe | 
"{1A4F5D29-0639-493A-AA6A-F23011DD67CD}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\superbrothers sword & sworcery ep\swordandsworcery_pc.exe | 
"{1ADE29F7-E3B1-491E-AA25-5C80C43433AC}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{1C1E60AC-38FA-49C6-A3AB-DA6044B25F63}" = protocol=6 | dir=in | app=c:\program files (x86)\ea games\battlefield 2\bf2.exe | 
"{1C8BBD77-ADF0-4DDF-83F0-692F15E148EA}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\shogun2.exe | 
"{1E3775C9-F77D-4754-994A-7BE846AF1B1F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\bioshock infinite\binaries\win32\benchmark.bat | 
"{214A6364-8F5D-4EC8-B61E-A497081ABD18}" = protocol=17 | dir=in | app=d:\games\ubisoft\farcry 3\bin\fc3editor.exe | 
"{26305648-2DE6-4C13-8607-C21D062C7EB0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aquaria\aquaria.exe | 
"{28BE5819-67A1-438C-85EF-364F4A35213C}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\penumbra overture\redist\penumbra.exe | 
"{2DB1D1FF-DA47-41E4-9EFE-DFDEFB44FEB0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\multiwinia\multiwinia.exe | 
"{3020F56D-C1E2-477A-8B55-58A0CA31ECF0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\amnesia the dark descent\launcher.exe | 
"{3595D0E2-DE31-4AC1-8E72-309C2AD4B118}" = protocol=6 | dir=in | app=c:\program files (x86)\dyyno broadcaster\dppm_source.exe | 
"{371F8D6D-4187-46B0-AB9E-D757D40CFEDA}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\plants vs zombies\plantsvszombies.exe | 
"{3B4ED0B6-5B1C-4DA4-950D-F30F9B4170CA}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{3B875543-329B-48D5-8EF7-AAEF9A7771F1}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\bioshock infinite\binaries\win32\bioshockinfinite.exe | 
"{3EAA9F58-2AA7-4F59-B5DD-FACA4093E2B0}" = protocol=17 | dir=in | app=c:\games\starcraft ii\starcraft ii.exe | 
"{3FCBB7F3-89D6-4403-AC19-14E95D10A362}" = protocol=17 | dir=in | app=c:\program files (x86)\dyyno broadcaster\dgcsrv.exe | 
"{403EB79C-1D9E-46C0-8D82-6049F1BDECF3}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\braid\braid.exe | 
"{42DB9E0E-026A-4527-9D38-4232FAFE2298}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\osmos\osmos.exe | 
"{48089C6E-F701-4977-B0C1-126E6334D651}" = protocol=6 | dir=in | app=d:\games\ubisoft\farcry 3\bin\farcry3.exe | 
"{49383B27-1AEB-49D5-AD16-FDA0BA8F3761}" = dir=in | app=c:\program files (x86)\nokia\nokia suite\nokiasuite.exe | 
"{4CBDAC2B-7A82-4DCD-9EA3-86499A9B60B2}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\plants vs zombies\plantsvszombies.exe | 
"{4E2D843E-B077-488E-A8D2-FDBC7B59528E}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\happy song prototype\afmana.exe | 
"{4E9C8472-E760-43C1-8262-E7040EF91EC7}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\world of goo\worldofgoo.exe | 
"{52F096A1-80B1-49AB-9B16-B77B0939A5B5}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\machinarium\machinarium.exe | 
"{53450DAD-4214-46DE-BC47-2BC607AFAAB4}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\shogun2.exe | 
"{5477DA64-7F34-4A45-BBA7-D169345B80A4}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\uplink\uplink.exe | 
"{5835AA89-201B-41DE-AFB8-7C25433BE4EE}" = protocol=6 | dir=in | app=d:\games\ubisoft\farcry 3\bin\farcry3_d3d11.exe | 
"{596E529B-34FF-4026-B02A-0070FB82DCA4}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\data\encyclopedia\how_to_play.html | 
"{5993D284-E1A5-4A2B-A5DC-A335B747A8A4}" = protocol=6 | dir=in | app=c:\program files (x86)\opera\pluginwrapper\opera_plugin_wrapper.exe | 
"{5BF0786B-8FBD-4270-8C9D-74D8FA56F52F}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{5F2008B7-67C6-4B19-9524-A182B672FBA5}" = protocol=6 | dir=in | app=c:\games\starcraft ii\starcraft ii.exe | 
"{5F9A8947-C450-4ADF-AFFE-923046D5F650}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\costume quest prototype\afcq.exe | 
"{605BE6FF-D152-4C18-98E3-99B7D0970387}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | 
"{622EF6CE-4E18-456B-9520-4DCBC4C76C6C}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\magical drop v\magicaldropv.exe | 
"{62A7B968-FF24-4850-BA47-93333D046296}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{67338372-933F-46F8-A845-432B5F538334}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\machinarium\machinarium.exe | 
"{67F0DCF9-0950-4A45-BF86-8AC51810ACBE}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | 
"{69F386BD-38FA-44A3-996E-2E3752B7C256}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\amnesia the dark descent\launcher.exe | 
"{6AAD002D-2826-41BC-9F0A-F7EAEA1569E7}" = protocol=6 | dir=in | app=c:\program files (x86)\dyyno broadcaster\dgcsrv.exe | 
"{6E9DB23F-A9AA-4273-BF98-8FDE48920043}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\swarm arena\swarm.exe | 
"{73F3379C-6231-45BB-B541-19658B6904BD}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\universe sandbox\universe sandbox.exe | 
"{749580F8-0E57-4406-9479-E94CC870EF51}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\antichamber\binaries\win32\udk.exe | 
"{76E27886-90E7-48B5-BCA3-8CACB09EC7C9}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\demigod\bin\demigod.exe | 
"{7944EF91-FB1D-465C-AEBC-AB6E060B3FA7}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\botanicula\botanicula.exe | 
"{796E2790-ACBF-4188-9332-9DBDA492FCF1}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\bastion\bastion.exe | 
"{7A1BEB0E-1E1E-447E-8FCC-3BC2C1122D0A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe | 
"{7A95BD78-474A-4530-80B3-AAD58582A1C6}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{7BC063DF-8300-4736-BB9F-30232AE4D5E3}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\superbrothers sword & sworcery ep\swordandsworcery_pc.exe | 
"{7C5918CE-E750-45DC-B298-3A1DFEBC0E74}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\uplink\uplink.exe | 
"{8244A58F-043C-4F47-9C08-AC57751115B0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\mortal kombat arcade kollection\binaries\win32\mkhdgame.exe | 
"{85BE4122-C238-485D-A390-300862815D18}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\costume quest prototype\afcq.exe | 
"{8A8CD888-1CA7-4B0B-BB02-FC81F41D41D1}" = protocol=17 | dir=in | app=d:\games\ubisoft\farcry 3\bin\farcry3_d3d11.exe | 
"{94844B9C-4977-4E7E-BA6B-092CD84DBD59}" = protocol=17 | dir=in | app=c:\users\hoof\appdata\roaming\dropbox\bin\dropbox.exe | 
"{94CBF7A1-6A89-45F0-BE02-4E212907B47F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\osmos\osmos.exe | 
"{95E01C46-B278-48E0-AF09-B4C0692972F0}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\universe sandbox\universe sandbox.exe | 
"{9764158D-F9AE-4F37-A446-91DFC33B7832}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\osmos\osmos.exe | 
"{9AE0B405-2AC7-46A4-828D-153195F8F079}" = protocol=6 | dir=in | app=d:\games\ubisoft\farcry 3\bin\fc3updater.exe | 
"{9C09ADAB-B40C-4DDA-81AC-434490D846C0}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe | 
"{9D843C6B-14F8-4A8F-8B38-8C3E7C407E87}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\crayon physics deluxe\launcher.exe | 
"{A098FA1A-9605-4846-BFD3-F849E5F39EFB}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\happy song prototype\afmana.exe | 
"{A1737F19-1171-43F7-9F89-E6367C3B002B}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\trine 2\trine2_launcher.exe | 
"{A5DD2F44-6F3E-4B57-BE83-544D16B68740}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\crayon physics deluxe\launcher.exe | 
"{A6AE5AA8-6804-43F6-B0DB-F7E440EB09BC}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\darwinia\darwinia.exe | 
"{A83F4B52-5A63-4BA4-99F0-CC7D385DBBFC}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\braid\braid.exe | 
"{AEA9E4EC-2612-4391-B4C8-A357A1BB84C6}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{B1BC28DD-5090-45A9-980C-47BB0F717025}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aquaria\aquaria.exe | 
"{B27E8F90-B67B-4EA2-99A0-C1C13686DC18}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\mortal kombat arcade kollection\binaries\win32\mkhdgame.exe | 
"{B3DD4BDC-8A63-4706-B48A-16BFF05FF6C0}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\samorost 2\samorost2.exe | 
"{B3EFA25C-9741-423D-867C-1D370AAB1F04}" = protocol=17 | dir=in | app=d:\games\ubisoft\farcry 3\bin\farcry3.exe | 
"{B4EB0E4B-1DF7-4A7B-AF81-B1038F2E6E1C}" = protocol=17 | dir=in | app=c:\program files (x86)\opera\opera.exe | 
"{B81E6A47-6875-45C6-9C9F-5EBFB62CF0A4}" = protocol=6 | dir=in | app=c:\program files (x86)\opera\opera.exe | 
"{B9A3AADC-6A6E-4E63-AAC1-68EE51F3B16A}" = protocol=17 | dir=in | app=d:\games\ubisoft\farcry 3\bin\fc3updater.exe | 
"{BA5FCEE8-5CEE-4184-B7E0-BC53D363C6FE}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_current_settings.bat | 
"{C5553A4B-EA20-40EF-84B6-C2580C4648A2}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\botanicula\botanicula.exe | 
"{CC564AAE-655A-4549-A316-41147DC7B245}" = protocol=6 | dir=in | app=d:\games\ubisoft\farcry 3\bin\fc3editor.exe | 
"{D144D870-D567-44B5-8309-B20FCD6CE13E}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\bioshock infinite\binaries\win32\bioshockinfinite.exe | 
"{D1A85A96-E74F-4112-A02C-753968D757E4}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\aquaria\aquaria.exe | 
"{D2DCB1D3-2246-48ED-AF80-9F1CC4589666}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe | 
"{D2F6E123-BF2D-4A31-80A0-25DACE3441EA}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\multiwinia\multiwinia.exe | 
"{D5E6CBD8-E7B4-4D22-8756-810112E13520}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\bioshock infinite\binaries\win32\benchmark.bat | 
"{D70B0B2A-2BAC-41EC-8B60-5D525FE9A439}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\world of goo\worldofgoo.exe | 
"{D7C58713-16BC-4F57-AB9D-D10970E6D76A}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\trine 2\trine2_launcher.exe | 
"{DA833177-3228-4714-B5EE-08EDDE746707}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{DADDA39A-A5AD-4ECB-9FE6-8D50FBE922AD}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\amnesia the dark descent\launcher.exe | 
"{DFB399D6-5E12-4A3B-BC73-276948F7E732}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_specify_properties.bat | 
"{E2759DAB-7774-47A6-A696-343411EC5845}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\demigod\bin\demigod.exe | 
"{E28DC483-6F85-4406-A6BE-9B9550D3460D}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\darwinia\darwinia.exe | 
"{E38679F4-FC11-419F-946F-46079BB6CA56}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\crysis\bin32\crysis.exe | 
"{E5EE8034-227A-4219-9EA9-D56343CBCD62}" = protocol=17 | dir=in | app=c:\program files (x86)\opera\pluginwrapper\opera_plugin_wrapper.exe | 
"{E69314EB-F012-40AC-A6D6-A47D881955FF}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\penumbra overture\redist\penumbra.exe | 
"{E87A472A-D682-45E0-AD2B-4750E8043684}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\amnesia the dark descent\launcher.exe | 
"{E8F06477-2EAE-4958-AA1E-402A73FF9B05}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\world of goo\worldofgoo.exe | 
"{E95735DB-1F7A-470B-AA05-DFA693CFC703}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\bastion\bastion.exe | 
"{EA42098A-E117-4FDF-AB4F-6ECE8EED6010}" = protocol=6 | dir=in | app=c:\users\hoof\appdata\roaming\dropbox\bin\dropbox.exe | 
"{F06A5E71-2408-456D-9CBF-6F5A31D291DA}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | 
"{F31AE1EE-C484-4141-A7CF-1B669F3DF1AD}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\defcon\defcon.exe | 
"{F498D8B5-8C49-4FF0-8F03-52FCE6F1B9D6}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\total war shogun 2\benchmarks\benchmark_current_settings.bat | 
"{F8F5C5D2-B3E0-47CB-9B4F-805B35777056}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\crysis\bin32\crysis.exe | 
"{FA095543-4171-4A5D-99C8-66F6D6AA9695}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\swarm arena\swarm.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP610_series" = Canon MP610 series
"{4975DE61-6BF6-B9BC-1FDE-C04C5EC78E4C}" = AMD Media Foundation Decoders
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{4D668D4F-FAA2-4726-834C-31F4614F312E}" = MSVC80_x64_v2
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5E03A267-415E-5383-FA8F-3CE4145663B9}" = AMD Catalyst Install Manager
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{680EDA59-9266-44B4-949E-0C24F65DFF82}" = Microsoft_VC100_CRT_SP1_x64
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{89EE4A30-080F-2C95-6F78-C98D18FBD74D}" = AMD Accelerated Video Transcoding
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90140000-0011-0000-1000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0407-1000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0015-0409-1000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0407-1000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0016-0409-1000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0017-0407-1000-0000000FF1CE}" = Microsoft Office SharePoint Designer MUI (German) 2010
"{90140000-0018-0407-1000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0018-0409-1000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0407-1000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-0019-0409-1000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0407-1000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001A-0409-1000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0407-1000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001B-0409-1000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0407-1000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0409-1000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-1000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0410-1000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-001F-0C0A-1000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0407-1000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-002C-0409-1000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0043-0000-1000-0000000FF1CE}" = Microsoft Office Office 32-bit Components 2010
"{90140000-0043-0407-1000-0000000FF1CE}" = Microsoft Office Shared 32-bit MUI (German) 2010
"{90140000-0043-0409-1000-0000000FF1CE}" = Microsoft Office Shared 32-bit MUI (English) 2010
"{90140000-0044-0407-1000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2010
"{90140000-0044-0409-1000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0407-1000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-006E-0409-1000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0407-1000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00A1-0409-1000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0407-1000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2010
"{90140000-00BA-0409-1000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0100-0407-1000-0000000FF1CE}" = Microsoft Office O MUI (German) 2010
"{90140000-0101-0407-1000-0000000FF1CE}" = Microsoft Office X MUI (German) 2010
"{90140000-0115-0409-1000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-1000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{9CF11D16-ECEB-90A5-A028-CA9E068D848B}" = ccc-utility64
"{A2AA3E06-2A11-4803-8515-A49628E65515}" = Nitro Reader 3
"{A7EEF79E-06B2-4382-9D2E-39DBA0F72D50}" = Eraser 6.0.8.2273
"{AB071C8B-873C-459F-ACA9-9EBE03C3E89B}" = MSVC90_x64
"{ADED6869-D6D1-671E-9653-3782C21FA809}" = AMD Drag and Drop Transcoding
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
"{E62381A7-B1C1-4121-8262-84D38C77786C}" = COMODO Internet Security
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{FA53034E-566C-477E-BA56-93AFA4DE6092}" = MySQL Connector/ODBC 3.51
"6af12c54-643b-4752-87d0-8335503010de_is1" = Nexus Mod Manager
"CANONIJINBOXADDON200" = Canon Inkjet Printer Driver Add-On Module V2.00
"CCleaner" = CCleaner
"FCEC33AD40CEA5E0FC4CEE6E42041A0DA189652D" = Windows-Treiberpaket - Nokia pccsmcfd  (08/22/2008 7.0.0.0)
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Office14.OMUI.de-de" = Microsoft Office Language Pack 2010 - German/Deutsch
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"Recuva" = Recuva
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TeraCopy_is1" = TeraCopy 2.27
"UDK-a53ff228-a0db-44a5-8e92-a3fcc7bbe3e7" = My Game Long Name
"Virtual Audio Cable 4.10" = Virtual Audio Cable 4.10
"WinRAR archiver" = WinRAR
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{017F8447-2A1D-0DDB-B5D7-CA2BFACE2886}" = CCC Help French
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2(TM)
"{054E9A1C-3EA2-C657-E787-FD8DCF5C3D3B}" = CCC Help Czech
"{0659E943-DDF4-44FC-9FEE-A13B09F8BB08}" = Adobe Flash Media Live Encoder 3.2
"{0ABBF310-94E4-4AE8-A6BD-10345A3F6439}" = Google Drive
"{0BEB28E4-E5EA-40DE-8982-1F13005DC08B}" = SlimDrivers
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1DE2BD51-0300-772D-5E18-F337D95D5687}" = CCC Help German
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{224E8FEB-5C1F-077F-6FC5-602AC1AE644D}" = CCC Help Danish
"{26A24AE4-039D-4CA4-87B4-2F83216034FF}" = Java(TM) 6 Update 34
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{275E9C49-C72F-D754-DEB7-77F10A9C00D8}" = CCC Help Japanese
"{2E20B367-3D6B-4A0D-B5BA-218769DDDDEC}_is1" = Audiosurf DE
"{30049739-BE95-6591-B504-E6D7057D49CC}" = CCC Help Spanish
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = Gigabyte Raid Configurer
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3F1EB155-F96E-EB7B-2EF2-7375490E0FA9}" = CCC Help English
"{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX
"{44257960-C5CC-45BA-8E83-524E4A0F3FD5}" = Cisco AnyConnect VPN Client
"{46B65150-F8AA-42F2-94FB-2729A8AE5F7E}" = SPSS Statistics 17.0
"{48530DE6-19F9-489D-809E-AFAA8AACC6DF}" = SplitMediaLabs VH Screen Capture Driver (x86)
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AA62353-C8D9-4A05-A425-D9DFC4646B99}_is1" = FFsplit version Alpha
"{4AA68A73-DB9C-439D-9481-981C82BD008B}" = Nokia Connectivity Cable Driver
"{4B023D7B-9E67-795D-FB31-B5E1F6DCA451}" = CCC Help Italian
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{4F64A46D-67F7-4497-AEA2-313D4305A5F6}" = Torchlight
"{5454085C-129F-416C-9C0B-8B1000058301}" = BioShock 2
"{5454085C-129F-416C-9C0B-8B1000058302}" = BioShock 2
"{5454085C-129F-416C-9C0B-8B1000058303}" = BioShock 2
"{55F6C486-8C75-2A72-DAFE-CE78A624C9F7}" = CCC Help Russian
"{5AF23993-7152-1620-E43F-1B4542FB4F84}" = CCC Help Thai
"{63326924-3CAF-C858-3A8F-8598C87019D7}" = Catalyst Control Center
"{63822E89-11AA-F8EC-D433-F72A85799EC0}" = CCC Help Greek
"{66361420-4905-AEB8-17AE-172FDD164A7E}" = CCC Help Polish
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7
"{6C772996-BFF3-3C8C-860B-B3D48FF05D65}" = Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{769F2A4B-84A3-9486-ADD2-9E5AB4B4E1E3}" = Catalyst Control Center InstallProxy
"{79A64F98-1796-4FA2-B5FF-C90F83D8BACD}" = Vodafone Mobile Connect Lite
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7EE873AF-46BB-4B5D-BA6F-CFE4B0566E22}" = TuneUp Utilities Language Pack (de-DE)
"{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator 5.0.0
"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8773DD1C-5FB2-95B5-5A93-0EFEAC900A4D}" = CCC Help Norwegian
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CCBB0BF-9CC1-1A65-BB93-56012A460EE6}" = CCC Help Portuguese
"{8e70e4e1-06d7-470b-9f74-a51bef21088e}" = Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106
"{92D1CEBC-7C72-4ECF-BFC6-C131EF3FE6A7}" = Nokia Suite
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A0A3CE05-96CB-52E9-434E-074F3BB7807E}" = CCC Help Turkish
"{A2AA4204-C05A-4013-888A-AD153139297F}" = PC Connectivity Solution
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9C64319-932F-D02B-B14C-FFFC3EC49E77}" = CCC Help Chinese Standard
"{AAF42F9E-8900-4FC1-8087-000B12A91AE2}" = Tunebite
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.0) - Deutsch
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{C09DB932-7619-7B56-30E3-C0454811D6D7}" = CCC Help Korean
"{C22A4697-BD77-ACB1-744F-1FD0A0BFF798}" = CCC Help Swedish
"{C25215FC-5900-48B0-B93C-8D3379027312}" = PASW Statistics 18
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
"{D4B457B2-260F-C561-CA87-703BD3B724CA}" = Catalyst Control Center Graphics Previews Common
"{D6CDB506-297D-AE70-0EF6-DE5185F961BE}" = CCC Help Chinese Traditional
"{E2F0AF23-FE2F-4222-9A43-55E63CC41EF1}" = Catalyst Control Center - Branding
"{E3B64CC5-C011-40C0-92BC-7316CD5E5688}" = Microsoft_VC100_CRT_SP1_x86
"{E3B9C5A9-BD7A-4B56-B754-FAEA7DD6FA88}" = Far Cry 3
"{E4DA3403-9797-2600-2A09-C06429FDE753}" = Application Profiles
"{E824E81C-80A4-3DFF-B5F9-4842A9FF5F7F}" = Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106
"{EC9F368A-79DC-4AAE-907A-FC02D512034E}" = RippMe
"{ECFD508E-68A2-91B2-46DD-1D03D783D94B}" = Catalyst Control Center Localization All
"{EDE361D5-35A5-DA7D-3462-C3DABD24029B}" = CCC Help Hungarian
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E7DD6A-AE2D-D706-BEB3-937F76CA6AE9}" = CCC Help Finnish
"{F56F54DD-BCB2-1221-2CB7-E983A5CF9D15}" = CCC Help Dutch
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"888poker" = 888poker
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Afterburner" = MSI Afterburner 2.2.3
"AIMP3" = AIMP3
"Alldj DVD Ripper Platium_is1" = Alldj DVD Ripper Platium 4.0
"AllDup_is1" = AllDup 3.4.8
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.13 (Unicode)
"Avira AntiVir Desktop" = Avira Free Antivirus
"bgbennyboyCMIReplacementSetup_is1" = Curse Of Monkey Island
"CamStudio" = CamStudio
"CDex" = CDex - Open Source Digital Audio CD Extractor
"Comodo Dragon" = Comodo Dragon
"DAEMON Tools Lite" = DAEMON Tools Lite
"Diablo III" = Diablo III
"DivX Setup" = DivX-Setup
"DVD Shrink DE_is1" = DVD Shrink 3.2 deutsch (DeCSS-frei)
"DVDx 4.0 Open Edition" = DVDx 4.0 Open Edition
"Dyyno Broadcaster" = Dyyno Broadcaster
"EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 9.1.1 Home Edition
"Easy-PhotoPrint EX" = Canon Easy-PhotoPrint EX
"FileZilla Client" = FileZilla Client 3.5.3
"foobar2000" = foobar2000 v1.2.2
"FormatFactory" = FormatFactory 3.0.1
"Free DVD Decrypter_is1" = Free DVD Decrypter version 1.5.6.908
"Free Metronome" = Free Metronome 1.1.0 r1 
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 2.2
"Free YouTube Download 3_is1" = Free YouTube Download 3 version 3.0.3.622
"Free YouTube Download_is1" = Free YouTube Download version 3.1.37.918
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.11.32.918
"GOM Player" = GOM Player
"GomTVStreamer" = GOMTV Streamer
"Google Chrome" = Google Chrome
"HotspotShield" = Hotspot Shield 2.88
"ID3-TagIT 3_is1" = ID3-TagIT 3
"ImgBurn" = ImgBurn
"IrfanView" = IrfanView (remove only)
"LAME for Audacity_is1" = LAME v3.98.3 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"MISEC" = Monkey Island™ Special Edition Collection
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"Mp3tag" = Mp3tag v2.53
"Nokia Suite" = Nokia Suite
"Notepad++" = Notepad++
"OpenAL" = OpenAL
"OpenVPN" = OpenVPN 2.2.2
"Opera 12.01.1532" = Opera 12.01
"Origin" = Origin
"pcsx2-r4600" = PCSX2 - Playstation 2 Emulator
"PokerStars" = PokerStars
"Polipo" = Polipo 1.0.4.1
"PowerISO" = PowerISO
"PunkBusterSvc" = PunkBuster Services
"RidNacs_is1" = RidNacs 2.0.3
"RivaTuner" = RivaTuner v2.24
"Runic Games Torchlight" = Torchlight
"SecureW2 EAP Suite" = SecureW2 EAP Suite 2.0.2 for Windows
"SopCast" = SopCast 3.3.2
"StarCraft II" = StarCraft II
"Steam App 107100" = Bastion
"Steam App 1500" = Darwinia
"Steam App 1510" = Uplink
"Steam App 1520" = DEFCON
"Steam App 1530" = Multiwinia
"Steam App 17300" = Crysis
"Steam App 202710" = Demigod
"Steam App 204060" = Superbrothers: Sword & Sworcery EP
"Steam App 204960" = Magical Drop V
"Steam App 205350" = Mortal Kombat Kollection
"Steam App 219890" = Antichamber
"Steam App 22000" = World of Goo
"Steam App 22180" = Penumbra: Overture
"Steam App 225940" = Happy Song Prototype
"Steam App 225960" = Costume Quest Prototype
"Steam App 24420" = Aquaria
"Steam App 26800" = Braid
"Steam App 26900" = Crayon Physics Deluxe
"Steam App 29180" = Osmos
"Steam App 34330" = Total War: SHOGUN 2
"Steam App 35720" = Trine 2
"Steam App 3590" = Plants vs. Zombies: Game of the Year
"Steam App 40700" = Machinarium
"Steam App 40720" = Samorost 2
"Steam App 440" = Team Fortress 2
"Steam App 46600" = Swarm Arena
"Steam App 48000" = LIMBO
"Steam App 57300" = Amnesia: The Dark Descent
"Steam App 72200" = Universe Sandbox
"TechPowerUp GPU-Z" = TechPowerUp GPU-Z
"The Elder Scrolls V Skyrim Update 11 (1.8.151.0.7) Deutsche Version 1.00" = The Elder Scrolls V Skyrim Update 11 (1.8.151.0.7) Deutsche Version 1.00
"Tor" = Tor 0.2.2.35
"Trine_is1" = Trine
"Tunatic" = Tunatic
"TuneUp Utilities" = TuneUp Utilities
"uniquemagicmp3taggerappid_is1" = Magic MP3 Tagger 2.2.6
"Vidalia" = Vidalia 0.2.15
"VLC media player" = VLC media player 2.0.1
"WinHotKey_is1" = WinHotKey 0.70
"XviD MPEG4 Video Codec" = XviD MPEG4 Video Codec (remove only)
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 07.08.2012 17:55:28 | Computer Name = Hoof-PC | Source = Windows Search Service | ID = 7042
Description = 
 
Error - 07.08.2012 17:55:28 | Computer Name = Hoof-PC | Source = Windows Search Service | ID = 9002
Description = 
 
Error - 07.08.2012 17:55:28 | Computer Name = Hoof-PC | Source = Windows Search Service | ID = 3029
Description = 
 
Error - 07.08.2012 17:55:29 | Computer Name = Hoof-PC | Source = Windows Search Service | ID = 3029
Description = 
 
Error - 07.08.2012 17:55:29 | Computer Name = Hoof-PC | Source = Windows Search Service | ID = 3028
Description = 
 
Error - 07.08.2012 17:55:29 | Computer Name = Hoof-PC | Source = Windows Search Service | ID = 3058
Description = 
 
Error - 07.08.2012 17:55:29 | Computer Name = Hoof-PC | Source = Windows Search Service | ID = 7010
Description = 
 
Error - 08.08.2012 01:52:07 | Computer Name = Hoof-PC | Source = VMCService | ID = 0
Description = conflictManagerTypeValue
 
Error - 08.08.2012 15:45:57 | Computer Name = Hoof-PC | Source = VMCService | ID = 0
Description = conflictManagerTypeValue
 
Error - 09.08.2012 08:28:00 | Computer Name = Hoof-PC | Source = VMCService | ID = 0
Description = conflictManagerTypeValue
 
[ Cisco AnyConnect VPN Client Events ]
Error - 26.03.2013 11:16:47 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: CDNSRequest::processResponse File: .\IP\DNSRequest.cpp Line:
 529 Invoked Function: CUDPDNS::Parse Return Code: -29687802 (0xFE3B0006) Description:
 IPPACKET_ERROR_INSUFFICIENT_BUFFER 
 
Error - 26.03.2013 11:16:47 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: CDNSRequest::OnSocketReadComplete File: .\IP\DNSRequest.cpp
Line:
 1069 Invoked Function: CDNSRequest::processResponse Return Code: -29687802 (0xFE3B0006)
Description:
 IPPACKET_ERROR_INSUFFICIENT_BUFFER Failed to resolve 65.167.174.193.in-addr.arpa
 via DNS server 192.168.2.1
 
Error - 26.03.2013 11:33:20 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: MSSaxErrorHandlerImpl::fatalError File: .\Xml\MSSaxErrorHandlerImpl.cpp
Line:
 31 Invoked Function: CVCMSSaxParser Return Code: -1072897499 (0xC00CE225) Description:
 WINDOWS_ERROR_CODE XML Parser fatal error: Fehler bei der Überprüfung.  
 
Error - 26.03.2013 11:33:21 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: fileExists File: .\Utility\sysutils.cpp Line: 500 Invoked Function:
 _tstat Return Code: 2 (0x00000002) Description: Das System kann die angegebene Datei
 nicht finden.   File: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\InitialFirewallConfig.wfw
Error:
 No such file or directory
 
Error - 26.03.2013 12:45:00 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: MSSaxErrorHandlerImpl::fatalError File: .\Xml\MSSaxErrorHandlerImpl.cpp
Line:
 31 Invoked Function: CVCMSSaxParser Return Code: -1072897499 (0xC00CE225) Description:
 WINDOWS_ERROR_CODE XML Parser fatal error: Fehler bei der Überprüfung.  
 
Error - 26.03.2013 12:45:01 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: fileExists File: .\Utility\sysutils.cpp Line: 500 Invoked Function:
 _tstat Return Code: 2 (0x00000002) Description: Das System kann die angegebene Datei
 nicht finden.   File: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\InitialFirewallConfig.wfw
Error:
 No such file or directory
 
Error - 26.03.2013 17:53:20 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: MSSaxErrorHandlerImpl::fatalError File: .\Xml\MSSaxErrorHandlerImpl.cpp
Line:
 31 Invoked Function: CVCMSSaxParser Return Code: -1072897499 (0xC00CE225) Description:
 WINDOWS_ERROR_CODE XML Parser fatal error: Fehler bei der Überprüfung.  
 
Error - 26.03.2013 17:53:20 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: fileExists File: .\Utility\sysutils.cpp Line: 500 Invoked Function:
 _tstat Return Code: 2 (0x00000002) Description: Das System kann die angegebene Datei
 nicht finden.   File: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\InitialFirewallConfig.wfw
Error:
 No such file or directory
 
Error - 26.03.2013 18:06:18 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: MSSaxErrorHandlerImpl::fatalError File: .\Xml\MSSaxErrorHandlerImpl.cpp
Line:
 31 Invoked Function: CVCMSSaxParser Return Code: -1072897499 (0xC00CE225) Description:
 WINDOWS_ERROR_CODE XML Parser fatal error: Fehler bei der Überprüfung.  
 
Error - 26.03.2013 18:06:19 | Computer Name = Hoof-PC | Source = vpnagent | ID = 67108866
Description = Function: fileExists File: .\Utility\sysutils.cpp Line: 500 Invoked Function:
 _tstat Return Code: 2 (0x00000002) Description: Das System kann die angegebene Datei
 nicht finden.   File: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\InitialFirewallConfig.wfw
Error:
 No such file or directory
 
[ System Events ]
Error - 26.03.2013 01:00:53 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   UimBus  Uim_IM
 
Error - 26.03.2013 01:29:33 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7009
Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst
 Steam Client Service erreicht.
 
Error - 26.03.2013 01:29:33 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Steam Client Service" wurde aufgrund folgenden Fehlers
 nicht gestartet:   %%1053
 
Error - 26.03.2013 06:37:30 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   UimBus  Uim_IM
 
Error - 26.03.2013 11:33:40 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   UimBus  Uim_IM
 
Error - 26.03.2013 11:33:41 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7038
Description = Der Dienst "WinHttpAutoProxySvc" konnte sich nicht als "NT AUTHORITY\LocalService"
 mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:   %%1352    Vergewissern
 Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft
 Management Console (MMC).
 
Error - 26.03.2013 11:33:41 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WinHTTP-Web Proxy Auto-Discovery-Dienst" wurde aufgrund
 folgenden Fehlers nicht gestartet:   %%1069
 
Error - 26.03.2013 12:45:23 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   UimBus  Uim_IM
 
Error - 26.03.2013 17:54:33 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   UimBus  Uim_IM
 
Error - 26.03.2013 18:06:33 | Computer Name = Hoof-PC | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
   UimBus  Uim_IM
 
 
< End of report >

defogger Log

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 23:21 on 26/03/2013 (Hoof)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

Fortsetzung folgt

PhattCasper · 27.03.2013, 09:09

Fortsetzung

gmer Log 1

Code:

ATTFilter

GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-27 08:36:39
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000078 ATA_____ rev.0001 931,51GB
Running: gmer_2.1.19155.exe; Driver: C:\Users\Hoof\AppData\Local\Temp\kxldipob.sys


---- Kernel code sections - GMER 2.1 ----

.text  C:\Windows\System32\win32k.sys!W32pServiceTable                                                                                                            fffff960001b2400 7 bytes [00, 94, F3, FF, 01, 9D, F0]
.text  C:\Windows\System32\win32k.sys!W32pServiceTable + 8                                                                                                        fffff960001b2408 3 bytes [00, 07, 02]

---- User code sections - GMER 2.1 ----

.text  C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077ce13c0 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077ce15c0 8 bytes JMP 000000016fff0110
.text  C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077ce1b60 8 bytes JMP 000000016fff0148
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                            0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                              0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                 0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                      0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                              0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                           0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                 0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                         0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                          0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                       0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                   0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                            0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                       0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                               0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                           0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                              0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                        0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                            0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                   0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                  0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                        0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                    0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                 0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                       0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                       0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                       000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!RegisterRawInputDevices                                                                0000000077a76ef0 8 bytes JMP 000000016fff06f8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SystemParametersInfoA                                                                  0000000077a78184 7 bytes JMP 000000016fff0880
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetParent                                                                              0000000077a78530 8 bytes JMP 000000016fff0730
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!PostMessageA                                                                           0000000077a7a404 5 bytes JMP 000000016fff0308
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!EnableWindow                                                                           0000000077a7aaa0 9 bytes JMP 000000016fff08f0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!MoveWindow                                                                             0000000077a7aad0 8 bytes JMP 000000016fff0768
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!GetAsyncKeyState                                                                       0000000077a7c720 5 bytes JMP 000000016fff06c0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!RegisterHotKey                                                                         0000000077a7cd50 8 bytes JMP 000000016fff0848
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!PostThreadMessageA                                                                     0000000077a7d2b0 5 bytes JMP 000000016fff0378
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendMessageA                                                                           0000000077a7d338 5 bytes JMP 000000016fff03e8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendNotifyMessageW                                                                     0000000077a7dc40 9 bytes JMP 000000016fff0570
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SystemParametersInfoW                                                                  0000000077a7f510 7 bytes JMP 000000016fff08b8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                      0000000077a7f874 9 bytes JMP 000000016fff0298
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendMessageTimeoutW                                                                    0000000077a7fac0 9 bytes JMP 000000016fff0490
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!PostThreadMessageW                                                                     0000000077a80b74 10 bytes JMP 000000016fff03b0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                        0000000077a84d4c 3 bytes JMP 000000016fff02d0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetWinEventHook + 4                                                                    0000000077a84d50 1 byte [F8]
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!GetKeyState                                                                            0000000077a85010 5 bytes JMP 000000016fff0688
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendMessageCallbackW                                                                   0000000077a85438 7 bytes JMP 000000016fff0500
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendMessageW                                                                           0000000077a86b50 5 bytes JMP 000000016fff0420
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!PostMessageW                                                                           0000000077a876e4 7 bytes JMP 000000016fff0340
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendDlgItemMessageW                                                                    0000000077a8dd90 5 bytes JMP 000000016fff05e0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!GetClipboardData                                                                       0000000077a8e874 5 bytes JMP 000000016fff0810
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetClipboardViewer                                                                     0000000077a8f780 8 bytes JMP 000000016fff07a0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendNotifyMessageA                                                                     0000000077a928e4 12 bytes JMP 000000016fff0538
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!mouse_event                                                                            0000000077a93894 7 bytes JMP 000000016fff0228
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!GetKeyboardState                                                                       0000000077a98a10 8 bytes JMP 000000016fff0650
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendMessageTimeoutA                                                                    0000000077a98be0 12 bytes JMP 000000016fff0458
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                      0000000077a98c20 12 bytes JMP 000000016fff0260
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendInput                                                                              0000000077a98cd0 8 bytes JMP 000000016fff0618
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!BlockInput                                                                             0000000077a9ad60 8 bytes JMP 000000016fff07d8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!ExitWindowsEx                                                                          0000000077ac14e0 5 bytes JMP 000000016fff0928
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!keybd_event                                                                            0000000077ae45a4 7 bytes JMP 000000016fff01f0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendDlgItemMessageA                                                                    0000000077aecc08 5 bytes JMP 000000016fff05a8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\USER32.dll!SendMessageCallbackA                                                                   0000000077aedf18 7 bytes JMP 000000016fff04c8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!BitBlt                                                                                  000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                 000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!CreateDCW                                                                               000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!CreateDCA                                                                               000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!GetPixel                                                                                000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!StretchBlt                                                                              000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\wininit.exe[696] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                  000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\csrss.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                    0000000077ce13c0 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\csrss.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                  0000000077ce15c0 8 bytes JMP 000000016fff0110
.text  C:\Windows\system32\csrss.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077ce1b60 8 bytes JMP 000000016fff0148
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\services.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                 000007feff226bd0 5 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!RegisterRawInputDevices                                                               0000000077a76ef0 8 bytes JMP 000000016fff06f8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SystemParametersInfoA                                                                 0000000077a78184 7 bytes JMP 000000016fff0880
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetParent                                                                             0000000077a78530 8 bytes JMP 000000016fff0730
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostMessageA                                                                          0000000077a7a404 5 bytes JMP 000000016fff0308
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!EnableWindow                                                                          0000000077a7aaa0 9 bytes JMP 000000016fff08f0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!MoveWindow                                                                            0000000077a7aad0 8 bytes JMP 000000016fff0768
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetAsyncKeyState                                                                      0000000077a7c720 5 bytes JMP 000000016fff06c0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!RegisterHotKey                                                                        0000000077a7cd50 8 bytes JMP 000000016fff0848
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostThreadMessageA                                                                    0000000077a7d2b0 5 bytes JMP 000000016fff0378
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageA                                                                          0000000077a7d338 5 bytes JMP 000000016fff03e8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendNotifyMessageW                                                                    0000000077a7dc40 9 bytes JMP 000000016fff0570
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SystemParametersInfoW                                                                 0000000077a7f510 7 bytes JMP 000000016fff08b8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                     0000000077a7f874 9 bytes JMP 000000016fff0298
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageTimeoutW                                                                   0000000077a7fac0 9 bytes JMP 000000016fff0490
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostThreadMessageW                                                                    0000000077a80b74 10 bytes JMP 000000016fff03b0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                       0000000077a84d4c 3 bytes JMP 000000016fff02d0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWinEventHook + 4                                                                   0000000077a84d50 1 byte [F8]
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetKeyState                                                                           0000000077a85010 5 bytes JMP 000000016fff0688
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageCallbackW                                                                  0000000077a85438 7 bytes JMP 000000016fff0500
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageW                                                                          0000000077a86b50 5 bytes JMP 000000016fff0420
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!PostMessageW                                                                          0000000077a876e4 7 bytes JMP 000000016fff0340
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendDlgItemMessageW                                                                   0000000077a8dd90 5 bytes JMP 000000016fff05e0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetClipboardData                                                                      0000000077a8e874 5 bytes JMP 000000016fff0810
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetClipboardViewer                                                                    0000000077a8f780 8 bytes JMP 000000016fff07a0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendNotifyMessageA                                                                    0000000077a928e4 12 bytes JMP 000000016fff0538
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!mouse_event                                                                           0000000077a93894 7 bytes JMP 000000016fff0228
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!GetKeyboardState                                                                      0000000077a98a10 8 bytes JMP 000000016fff0650
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageTimeoutA                                                                   0000000077a98be0 12 bytes JMP 000000016fff0458
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                     0000000077a98c20 12 bytes JMP 000000016fff0260
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendInput                                                                             0000000077a98cd0 8 bytes JMP 000000016fff0618
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!BlockInput                                                                            0000000077a9ad60 8 bytes JMP 000000016fff07d8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!ExitWindowsEx                                                                         0000000077ac14e0 5 bytes JMP 000000016fff0928
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!keybd_event                                                                           0000000077ae45a4 7 bytes JMP 000000016fff01f0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendDlgItemMessageA                                                                   0000000077aecc08 5 bytes JMP 000000016fff05a8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\USER32.dll!SendMessageCallbackA                                                                  0000000077aedf18 7 bytes JMP 000000016fff04c8
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0378
.text  C:\Windows\system32\services.exe[760] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                              0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                   0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                        0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                             0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                   0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                           0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                            0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                         0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                     0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                              0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                         0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                 0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                             0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                          0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                              0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                     0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                    0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                          0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                      0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                         000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                  000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!BitBlt                                                                                    000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                   000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                 000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                 000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!GetPixel                                                                                  000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                    000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\lsass.exe[772] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                   000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                  0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                     0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                          0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                  0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                               0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                     0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                             0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                              0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                           0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                       0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                           0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                   0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                               0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                  0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                            0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                       0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                      0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                            0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                        0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                           000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                    000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!BitBlt                                                                                      000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                     000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                   000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                   000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!GetPixel                                                                                    000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                  000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\lsm.exe[780] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                      000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                            0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                              0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                 0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                      0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                              0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                           0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                 0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                         0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                          0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                       0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                   0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                            0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                       0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                               0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                           0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                              0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                        0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                            0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                   0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                  0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                        0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                    0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                 0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                       0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                       0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                       000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                  000007feff226bd0 5 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                000007fefff322cc 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!BitBlt                                                                                  000007fefff324c0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                 000007fefff35be0 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!CreateDCW                                                                               000007fefff38398 9 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!CreateDCA                                                                               000007fefff389c8 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!GetPixel                                                                                000007fefff39344 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!StretchBlt                                                                              000007fefff3b9e8 5 bytes JMP 000007fffdbb0378
.text  C:\Windows\system32\svchost.exe[940] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                  000007fefff45410 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                            0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                              0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                 0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                      0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                              0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                           0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                 0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                         0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                          0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                       0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                   0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                            0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                       0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                               0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                           0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                              0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                        0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                            0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                   0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                  0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                        0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                    0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                       000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                  000007feff226bd0 5 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                000007fefff322cc 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!BitBlt                                                                                  000007fefff324c0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                 000007fefff35be0 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!CreateDCW                                                                               000007fefff38398 9 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!CreateDCA                                                                               000007fefff389c8 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!GetPixel                                                                                000007fefff39344 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!StretchBlt                                                                              000007fefff3b9e8 5 bytes JMP 000007fffdbb0378
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                  000007fefff45410 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[148] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                 000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                            0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                              0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                 0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                      0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                              0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                           0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                 0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                         0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                          0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                       0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                   0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                            0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                       0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                               0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                           0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                              0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                        0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                            0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                   0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                  0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                        0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                    0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                 0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                       0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                       0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                       000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!BitBlt                                                                                  000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                 000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!CreateDCW                                                                               000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!CreateDCA                                                                               000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!GetPixel                                                                                000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!StretchBlt                                                                              000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[724] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                  000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                               0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                     0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                     0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                     000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!DeleteDC                                                                              000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!BitBlt                                                                                000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!MaskBlt                                                                               000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCW                                                                             000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!CreateDCA                                                                             000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!GetPixel                                                                              000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!StretchBlt                                                                            000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\atiesrxx.exe[1008] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\System32\svchost.exe[1048] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                 000007feff226bd0 5 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0378
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtClose                                          0000000077e8f9d0 5 bytes JMP 000000010025d120
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                               0000000077e8fca0 5 bytes JMP 000000010026fc20
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                       0000000077e8fd54 5 bytes JMP 000000010026e100
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                    0000000077e8fdb8 5 bytes JMP 000000010026ed90
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                          0000000077e8feb0 5 bytes JMP 000000010026c3c0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                  0000000077e8ff94 5 bytes JMP 000000010026e7a0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                   0000000077e8fff4 2 bytes JMP 0000000100270080
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                               0000000077e8fff7 2 bytes [3E, 88]
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                0000000077e90074 5 bytes JMP 000000010026fe40
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                     0000000077e900a4 5 bytes JMP 000000010026e400
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                0000000077e903a8 5 bytes JMP 000000010026cde0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                        0000000077e90540 5 bytes JMP 000000010026b670
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                    0000000077e90684 5 bytes JMP 000000010026f8b0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                       0000000077e9087c 5 bytes JMP 000000010026bfe0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                 0000000077e90894 5 bytes JMP 000000010026ca40
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                     0000000077e90de4 5 bytes JMP 000000010026f6a0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                            0000000077e90ec8 5 bytes JMP 000000010026f220
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                           0000000077e91bd4 5 bytes JMP 000000010026f460
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                 0000000077e91ca4 5 bytes JMP 000000010026c670
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                             0000000077e91d7c 5 bytes JMP 000000010026f020
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                       0000000077eac43a 5 bytes JMP 0000000100267f40
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                     0000000077eb11d7 7 bytes JMP 000000010025d240
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                0000000075a4103d 5 bytes JMP 0000000100265070
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                0000000075a41072 5 bytes JMP 0000000100265c00
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                          0000000075a6c9b5 5 bytes JMP 0000000100263ba0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                00000000773aed6a 5 bytes JMP 000000010025d270
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!DeleteDC                                         0000000076b058b3 5 bytes JMP 0000000100268d10
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!BitBlt                                           0000000076b05ea6 5 bytes JMP 0000000100269530
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!CreateDCA                                        0000000076b07bcc 5 bytes JMP 0000000100269e10
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!StretchBlt                                       0000000076b0b895 5 bytes JMP 0000000100268d50
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!MaskBlt                                          0000000076b0c332 5 bytes JMP 0000000100269280
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!GetPixel                                         0000000076b0cbfb 5 bytes JMP 0000000100268ae0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!CreateDCW                                        0000000076b0e743 5 bytes JMP 0000000100269d10
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\GDI32.dll!PlgBlt                                           0000000076b34646 5 bytes JMP 0000000100268ff0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                              0000000076e18bff 5 bytes JMP 000000010025b6e0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                           0000000076e190d3 7 bytes JMP 000000010025c470
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendMessageW                                    0000000076e19679 5 bytes JMP 000000010025b1a0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                             0000000076e197d2 5 bytes JMP 000000010025ac20
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                 0000000076e1ee09 5 bytes JMP 000000010025c160
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                  0000000076e1efc9 5 bytes JMP 0000000100258140
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!PostMessageW                                    0000000076e212a5 5 bytes JMP 000000010025bc20
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!GetKeyState                                     0000000076e2291f 5 bytes JMP 00000001002593d0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SetParent                                       0000000076e22d64 5 bytes JMP 0000000100258980
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!EnableWindow                                    0000000076e22da4 5 bytes JMP 0000000100257ea0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!MoveWindow                                      0000000076e23698 5 bytes JMP 0000000100258c20
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!PostMessageA                                    0000000076e23baa 5 bytes JMP 000000010025bec0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                              0000000076e23c61 5 bytes JMP 000000010025b980
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendMessageA                                    0000000076e2612e 5 bytes JMP 000000010025b440
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                           0000000076e26c30 7 bytes JMP 000000010025c690
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                               0000000076e27603 5 bytes JMP 000000010025c8b0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                              0000000076e27668 5 bytes JMP 000000010025a160
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                            0000000076e276e0 5 bytes JMP 000000010025a6a0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                             0000000076e2781f 5 bytes JMP 000000010025aee0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                               0000000076e2835c 5 bytes JMP 000000010025cb20
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                              0000000076e2c4b6 5 bytes JMP 0000000100258780
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                             0000000076e3c112 5 bytes JMP 0000000100259eb0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                             0000000076e3d0f5 5 bytes JMP 0000000100259c00
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                0000000076e3eb96 5 bytes JMP 0000000100259120
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                0000000076e3ec68 5 bytes JMP 0000000100259680
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendInput                                       0000000076e3ff4a 5 bytes JMP 0000000100259930
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!GetClipboardData                                0000000076e59f1d 5 bytes JMP 0000000100258370
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                   0000000076e61497 5 bytes JMP 0000000100257c90
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!mouse_event                                     0000000076e7027b 5 bytes JMP 00000001002697c0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!keybd_event                                     0000000076e702bf 5 bytes JMP 00000001002699d0
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                            0000000076e76cfc 5 bytes JMP 000000010025a960
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                              0000000076e76d5d 5 bytes JMP 000000010025a400
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!BlockInput                                      0000000076e77dd7 5 bytes JMP 0000000100258580
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                         0000000076e788eb 5 bytes JMP 0000000100258f00
.text  C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1376] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                          0000000076bf2538 5 bytes JMP 00000001002644d0
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                          0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                            0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                               0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                            0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                               0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                 0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                          0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                     0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                         0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                            0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                 0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                     000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!DeleteDC                                                                              000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!BitBlt                                                                                000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!MaskBlt                                                                               000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!CreateDCW                                                                             000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!CreateDCA                                                                             000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!GetPixel                                                                              000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!StretchBlt                                                                            000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\atieclxx.exe[1476] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess

PhattCasper · 27.03.2013, 09:21

gmer log 2

Code:

ATTFilter

.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\System32\spoolsv.exe[1736] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                         0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                              0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                      0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                   0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                         0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                 0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                  0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                              0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                               0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                    0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                               0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                       0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                   0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                      0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                    0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                           0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                          0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                            0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                      0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                    0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                               0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                               0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe[1772] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                         0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                 000007feff226bd0 5 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0378
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                   0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                        0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                             0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                   0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                           0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                            0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                        0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                         0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                              0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                         0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                 0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                             0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                          0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                              0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                     0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                    0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                          0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                      0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                              0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                         0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                         0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                   0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                         00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                 0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                       0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                    0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageW                                             0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                      0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                          0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                           0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostMessageW                                             0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetKeyState                                              0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetParent                                                0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!EnableWindow                                             0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!MoveWindow                                               0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostMessageA                                             0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                       0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageA                                             0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                    0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                        0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                       0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                     0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                      0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                        0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                       0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                      0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                      0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                         0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                         0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendInput                                                0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!GetClipboardData                                         0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                            0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!mouse_event                                              0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!keybd_event                                              0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                     0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                       0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!BlockInput                                               0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                  0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                  0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!BitBlt                                                    0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                 0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                   0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!GetPixel                                                  0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                 0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                    0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1900] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                   0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                        0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                             0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                     0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                  0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                        0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                 0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                             0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                              0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                   0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                              0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                      0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                  0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                     0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                               0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                   0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                          0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                         0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                               0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                           0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                     0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                   0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                              0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                              0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                        0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                              00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                        0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                       0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!BitBlt                                                         0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                      0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                     0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                        0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!GetPixel                                                       0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                      0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                         0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                            0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                         0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageW                                                  0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                           0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                               0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!PostMessageW                                                  0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!GetKeyState                                                   0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SetParent                                                     0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!EnableWindow                                                  0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!MoveWindow                                                    0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!PostMessageA                                                  0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                            0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageA                                                  0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                         0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                             0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                            0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                          0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                           0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                             0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                            0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                           0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                           0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                              0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                              0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendInput                                                     0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!GetClipboardData                                              0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                 0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!mouse_event                                                   0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!keybd_event                                                   0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                          0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                            0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!BlockInput                                                    0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                       0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                      0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                     0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                        0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                             0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                     0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                  0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                        0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                 0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                             0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                              0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                   0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                              0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                      0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                  0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                     0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                               0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                   0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                          0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                         0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                               0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                           0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                     0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                   0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                              0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                              0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                        0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                              00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                        0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                      0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                     0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                       0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!BitBlt                                                         0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                      0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                     0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                        0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!GetPixel                                                       0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                      0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                         0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                            0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                         0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendMessageW                                                  0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                           0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                               0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!PostMessageW                                                  0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!GetKeyState                                                   0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SetParent                                                     0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!EnableWindow                                                  0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!MoveWindow                                                    0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!PostMessageA                                                  0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                            0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendMessageA                                                  0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                         0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                             0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                            0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                          0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                           0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                             0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                            0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                           0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                           0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                              0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                              0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendInput                                                     0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!GetClipboardData                                              0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                 0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!mouse_event                                                   0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!keybd_event                                                   0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                          0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                            0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!BlockInput                                                    0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                       0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                        0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                             0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                     0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                  0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                        0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                 0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                             0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                              0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                   0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                              0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                      0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                  0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                     0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                               0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                   0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                          0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                         0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                               0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                           0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                     0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                   0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                              0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                              0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                        0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                              00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                       0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!BitBlt                                                         0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                      0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                     0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                        0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!GetPixel                                                       0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                      0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                         0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                            0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                         0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendMessageW                                                  0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                           0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                               0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!PostMessageW                                                  0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!GetKeyState                                                   0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SetParent                                                     0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!EnableWindow                                                  0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!MoveWindow                                                    0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!PostMessageA                                                  0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                            0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendMessageA                                                  0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                         0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                             0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                            0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                          0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                           0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                             0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                            0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                           0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                           0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                              0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                              0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendInput                                                     0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!GetClipboardData                                              0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                 0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!mouse_event                                                   0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!keybd_event                                                   0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                          0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                            0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!BlockInput                                                    0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                       0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                        0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                      0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe[1372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                     0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                            0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                 0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                         0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                      0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                            0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                    0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                     0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                                 0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                  0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                       0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                  0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                          0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                      0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                         0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                   0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                       0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                              0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                             0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                   0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                               0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                         0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                       0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                  0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                  0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                            0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                  00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                          0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                         0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                            0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                           0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!BitBlt                                                             0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                          0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                         0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                            0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!GetPixel                                                           0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                          0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                             0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                             0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendMessageW                                                      0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                               0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                   0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                    0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!PostMessageW                                                      0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!GetKeyState                                                       0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SetParent                                                         0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!EnableWindow                                                      0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!MoveWindow                                                        0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!PostMessageA                                                      0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendMessageA                                                      0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                             0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                 0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                              0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                               0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                 0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                               0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                               0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                  0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                  0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendInput                                                         0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                  0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                     0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!mouse_event                                                       0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!keybd_event                                                       0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                              0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!BlockInput                                                        0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1580] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                           0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                              0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                   0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                           0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                        0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                              0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                      0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                       0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                                                   0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                    0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                         0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                    0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                            0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                        0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                           0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                     0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                         0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                               0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                     0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                 0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                           0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                         0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                    0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                    0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                              0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                    00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                  0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                               0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                        0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                 0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                     0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                      0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                        0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                         0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SetParent                                                                           0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                        0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                          0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                        0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                  0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                        0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                               0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                   0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                  0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                 0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                   0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                  0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                 0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                 0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                    0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                    0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendInput                                                                           0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                    0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                       0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!mouse_event                                                                         0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!keybd_event                                                                         0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                  0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!BlockInput                                                                          0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                             0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                             0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                               0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                            0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                           0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                              0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                             0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                            0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                               0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Windows\SysWOW64\XSrvSetup.exe[1096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                              0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                               0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                    0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                            0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                         0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                               0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                       0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                        0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                                                    0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                     0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                          0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                                     0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                                         0000000077e90684 5 bytes JMP 000000011002f8b0

PhattCasper · 27.03.2013, 09:22

gmer log 3

Code:

ATTFilter

.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                            0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                      0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                          0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                 0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                      0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                  0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                            0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                          0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                     0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                     0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                               0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                     00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                                    0000000075891a22 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                                    0000000075891ad0 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                                    0000000075891b08 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730                                                                    0000000075891bba 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762                                                                    0000000075891bda 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                   0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                         0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                  0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                      0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                       0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                         0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                          0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetParent                                                                            0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                         0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                           0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                         0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                   0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                         0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                    0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                   0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                 0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                  0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                    0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                   0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                  0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                  0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                     0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                     0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendInput                                                                            0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                     0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                        0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!mouse_event                                                                          0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!keybd_event                                                                          0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                 0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                   0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!BlockInput                                                                           0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                              0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                              0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                             0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                            0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                               0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                              0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                             0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                               0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                 0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                      0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                              0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                           0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                 0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                         0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                          0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                      0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                       0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                            0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                       0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                               0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                           0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                              0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                        0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                            0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                   0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                  0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                        0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                    0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                              0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                            0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                       0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                       0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                 0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                       00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!BitBlt                                                  0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!CreateDCA                                               0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!StretchBlt                                              0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                 0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!GetPixel                                                0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!CreateDCW                                               0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                  0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                     0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                  0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageW                                           0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                    0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                        0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                         0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostMessageW                                           0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetKeyState                                            0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetParent                                              0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!EnableWindow                                           0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!MoveWindow                                             0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostMessageA                                           0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                     0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageA                                           0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                  0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                      0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                     0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                   0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                    0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                      0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                     0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                    0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                    0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                       0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                       0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendInput                                              0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetClipboardData                                       0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                          0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!mouse_event                                            0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!keybd_event                                            0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                   0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                     0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!BlockInput                                             0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                 0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                               0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                              0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                   0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                     0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                        0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                             0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                     0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                  0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                        0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                 0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                              0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                          0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                   0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                              0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                      0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                  0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                     0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                               0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                   0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                          0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                         0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                               0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                           0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                        0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\kernel32.dll!CreateProcessW                              0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\kernel32.dll!CreateProcessA                              0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters              000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                        000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!DeleteDC                                       000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!BitBlt                                         000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!MaskBlt                                        000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!CreateDCW                                      000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!CreateDCA                                      000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!GetPixel                                       000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!StretchBlt                                     000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!PlgBlt                                         000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                     0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                             0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                          0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                        0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                         0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                     0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                      0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                           0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                      0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                              0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                          0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                             0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                       0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                           0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                  0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                 0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                       0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                   0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                             0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                           0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                      0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                      0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                      00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!DeleteDC                                               0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!BitBlt                                                 0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!CreateDCA                                              0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!StretchBlt                                             0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!GetPixel                                               0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!CreateDCW                                              0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                 0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                    0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                 0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageW                                          0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                   0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                       0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                        0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageW                                          0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetKeyState                                           0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetParent                                             0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!EnableWindow                                          0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!MoveWindow                                            0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageA                                          0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                    0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageA                                          0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                 0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                     0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                    0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                  0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                   0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                     0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                    0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                   0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                   0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                      0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                      0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendInput                                             0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetClipboardData                                      0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                         0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!mouse_event                                           0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!keybd_event                                           0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                  0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                    0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!BlockInput                                            0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                               0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                     0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                             0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                          0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                        0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                         0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                     0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                      0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                           0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                      0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                              0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                          0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                             0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                       0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                           0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                  0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                 0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                       0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                   0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                             0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                           0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                      0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                      0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                      00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                    0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                 0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageW                                          0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                   0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                       0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                        0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostMessageW                                          0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetKeyState                                           0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetParent                                             0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!EnableWindow                                          0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!MoveWindow                                            0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostMessageA                                          0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                    0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageA                                          0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                 0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                     0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                    0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                  0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                   0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                     0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                    0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                   0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                   0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                      0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                      0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendInput                                             0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetClipboardData                                      0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                         0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!mouse_event                                           0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!keybd_event                                           0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                  0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                    0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!BlockInput                                            0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                               0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!DeleteDC                                               0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!BitBlt                                                 0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!CreateDCA                                              0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!StretchBlt                                             0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!GetPixel                                               0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!CreateDCW                                              0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                 0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters             000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!DeleteDC                                      000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!BitBlt                                        000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!MaskBlt                                       000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!CreateDCW                                     000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!CreateDCA                                     000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!GetPixel                                      000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!StretchBlt                                    000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!PlgBlt                                        000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                               0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                 0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                    0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                 0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                    0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                      0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                               0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                          0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                              0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                 0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                      0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                          000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                   000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!BitBlt                                                                                     000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                    000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                  000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                  000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!GetPixel                                                                                   000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                 000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                     000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                          0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                            0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                               0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                            0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                               0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                 0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                          0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                     0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                         0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                            0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                 0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                               0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                     0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                     0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                     000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!DeleteDC                                                                              000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!BitBlt                                                                                000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!MaskBlt                                                                               000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCW                                                                             000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCA                                                                             000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!GetPixel                                                                              000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!StretchBlt                                                                            000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtClose                                         0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                              0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                      0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                   0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                         0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                 0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                  0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                              0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                               0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                    0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                               0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                       0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                   0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                      0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                    0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                           0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                          0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                            0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                      0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                    0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\syswow64\kernel32.dll!CreateProcessW                               0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\syswow64\kernel32.dll!CreateProcessA                               0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                         0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                   0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                     0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                        0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                             0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                     0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                  0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                        0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                 0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                              0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                          0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                   0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                              0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                      0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                  0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                     0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                               0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                   0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                          0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                         0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                               0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                           0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                        0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                              0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                              0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                              000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                       000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!BitBlt                                                                                         000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                        000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                      000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                      000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!GetPixel                                                                                       000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                     000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                         000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                 0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                   0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                      0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                           0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                   0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                      0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                              0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                               0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                            0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                        0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                 0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                            0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                    0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                   0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                             0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                 0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                        0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                       0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                             0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                         0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                      0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\kernel32.dll!CreateProcessW                                            0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\kernel32.dll!CreateProcessA                                            0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                            000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!DeleteDC                                                     000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!BitBlt                                                       000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!MaskBlt                                                      000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!CreateDCW                                                    000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!CreateDCA                                                    000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!GetPixel                                                     000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!StretchBlt                                                   000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!PlgBlt                                                       000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                       0000000077ce1490 8 bytes JMP 000000016fff00d8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\kernel32.dll!CreateProcessW                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\kernel32.dll!CreateProcessA                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!DeleteDC                                                               000007fefff322cc 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!BitBlt                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!MaskBlt                                                                000007fefff35be0 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!CreateDCW                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!CreateDCA                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!GetPixel

PhattCasper · 27.03.2013, 09:24

gmer log 3

Code:

ATTFilter

.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                            0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                      0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                          0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                                 0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                                      0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                  0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                            0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                          0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                     0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                     0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                               0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                                     00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                                    0000000075891a22 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                                    0000000075891ad0 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                                    0000000075891b08 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730                                                                    0000000075891bba 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762                                                                    0000000075891bda 2 bytes [89, 75]
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                                   0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                                0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                         0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                                  0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                                      0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                                       0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                         0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                          0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetParent                                                                            0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!EnableWindow                                                                         0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                           0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                         0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                                   0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                         0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                                0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                                    0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                                   0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                                 0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                                  0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                                    0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                                   0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                                  0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                                  0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                                     0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                                     0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendInput                                                                            0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                                     0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                                        0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!mouse_event                                                                          0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!keybd_event                                                                          0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                                 0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                                   0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!BlockInput                                                                           0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                              0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                              0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                                0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                             0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                            0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                               0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                              0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                             0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                                0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Windows\SysWOW64\PnkBstrA.exe[2136] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                               0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                 0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                      0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                              0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                           0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                 0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                         0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                          0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                      0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                       0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                            0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                       0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                               0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                           0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                              0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                        0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                            0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                   0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                  0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                        0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                    0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                              0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                            0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                       0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                       0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                 0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                       00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!BitBlt                                                  0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!CreateDCA                                               0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!StretchBlt                                              0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                 0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!GetPixel                                                0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!CreateDCW                                               0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                  0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                     0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                  0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageW                                           0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                    0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                        0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                         0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostMessageW                                           0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetKeyState                                            0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetParent                                              0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!EnableWindow                                           0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!MoveWindow                                             0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostMessageA                                           0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                     0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageA                                           0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                  0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                      0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                     0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                   0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                    0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                      0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                     0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                    0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                    0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                       0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                       0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendInput                                              0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!GetClipboardData                                       0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                          0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!mouse_event                                            0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!keybd_event                                            0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                   0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                     0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!BlockInput                                             0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                 0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                               0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2180] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                              0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[2280] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                   0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                     0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                        0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                             0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                     0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                  0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                        0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                 0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                              0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                          0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                   0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                              0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                      0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                  0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                     0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                               0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                   0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                          0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                         0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                               0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                           0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                        0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\kernel32.dll!CreateProcessW                              0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\kernel32.dll!CreateProcessA                              0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters              000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                        000007feffb2a1a0 7 bytes JMP 000007fffdbb0180
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!DeleteDC                                       000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!BitBlt                                         000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!MaskBlt                                        000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!CreateDCW                                      000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!CreateDCA                                      000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!GetPixel                                       000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!StretchBlt                                     000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2316] C:\Windows\system32\GDI32.dll!PlgBlt                                         000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                     0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                             0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                          0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                        0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                         0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                     0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                      0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                           0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                      0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                              0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                          0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                             0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                       0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                           0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                  0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                 0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                       0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                   0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                             0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                           0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                      0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                      0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                      00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!DeleteDC                                               0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!BitBlt                                                 0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!CreateDCA                                              0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!StretchBlt                                             0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!GetPixel                                               0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!CreateDCW                                              0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                 0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                    0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                 0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageW                                          0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                   0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                       0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                        0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageW                                          0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetKeyState                                           0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetParent                                             0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!EnableWindow                                          0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!MoveWindow                                            0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageA                                          0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                    0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageA                                          0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                 0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                     0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                    0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                  0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                   0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                     0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                    0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                   0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                   0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                      0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                      0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendInput                                             0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!GetClipboardData                                      0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                         0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!mouse_event                                           0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!keybd_event                                           0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                  0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                    0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!BlockInput                                            0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                               0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                     0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                             0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                          0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                        0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                         0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                     0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                      0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                           0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                      0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                              0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                          0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                             0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                       0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                           0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                  0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                 0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                       0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                   0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                             0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                           0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                      0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                      0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                      00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                    0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                 0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageW                                          0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                   0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                       0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                        0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostMessageW                                          0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetKeyState                                           0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetParent                                             0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!EnableWindow                                          0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!MoveWindow                                            0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostMessageA                                          0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                    0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageA                                          0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                 0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                     0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                    0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                  0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                   0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                     0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                    0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                   0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                   0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                      0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                      0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendInput                                             0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!GetClipboardData                                      0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                         0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!mouse_event                                           0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!keybd_event                                           0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                  0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                    0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!BlockInput                                            0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                               0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!DeleteDC                                               0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!BitBlt                                                 0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!CreateDCA                                              0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!StretchBlt                                             0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!GetPixel                                               0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!CreateDCW                                              0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                 0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[2516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters             000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!DeleteDC                                      000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!BitBlt                                        000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!MaskBlt                                       000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!CreateDCW                                     000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!CreateDCA                                     000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!GetPixel                                      000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!StretchBlt                                    000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2680] C:\Windows\system32\GDI32.dll!PlgBlt                                        000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                               0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                 0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                    0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                         0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                 0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                              0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                    0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                            0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                             0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                          0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                      0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                               0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                          0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                  0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                              0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                 0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                           0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                               0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                      0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                     0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                           0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                       0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                          000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                   000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!BitBlt                                                                                     000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                    000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                  000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                  000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!GetPixel                                                                                   000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                 000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\Dwm.exe[3008] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                     000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                          0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                            0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                               0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                    0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                            0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                         0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                               0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                       0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                        0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                     0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                 0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                          0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                     0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                             0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                         0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                            0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                      0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                          0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                 0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                      0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                  0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                               0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                     0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                     0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                     000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!DeleteDC                                                                              000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!BitBlt                                                                                000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!MaskBlt                                                                               000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCW                                                                             000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!CreateDCA                                                                             000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!GetPixel                                                                              000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!StretchBlt                                                                            000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\taskhost.exe[2104] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtClose                                         0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                              0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                      0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                   0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                         0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                 0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                  0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                              0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                               0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                    0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                               0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                       0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                   0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                      0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                    0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                           0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                          0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                            0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                      0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                    0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\syswow64\kernel32.dll!CreateProcessW                               0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\syswow64\kernel32.dll!CreateProcessA                               0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[2276] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                         0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                   0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                     0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                        0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                             0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                     0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                  0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                        0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                 0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                              0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                          0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                   0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                              0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                      0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                  0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                     0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                               0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                   0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                          0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                         0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                               0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                           0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                        0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                              0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                              0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                              000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                       000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!BitBlt                                                                                         000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                        000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                      000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                      000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!GetPixel                                                                                       000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                     000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\Explorer.EXE[3080] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                         000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                 0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                   0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                      0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                           0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                   0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                      0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                              0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                               0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                            0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                        0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                 0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                            0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                    0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                   0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                             0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                 0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                        0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                       0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                             0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                         0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                      0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\kernel32.dll!CreateProcessW                                            0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\kernel32.dll!CreateProcessA                                            0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                            000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!DeleteDC                                                     000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!BitBlt                                                       000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!MaskBlt                                                      000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!CreateDCW                                                    000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!CreateDCA                                                    000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!GetPixel                                                     000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!StretchBlt                                                   000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[3180] C:\Windows\system32\GDI32.dll!PlgBlt                                                       000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[3588] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                       0000000077ce1490 8 bytes JMP 000000016fff00d8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\kernel32.dll!CreateProcessW                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\kernel32.dll!CreateProcessA                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!DeleteDC                                                               000007fefff322cc 5 bytes JMP 000007fffdbb02d0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!BitBlt                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!MaskBlt                                                                000007fefff35be0 5 bytes JMP 000007fffdbb0340
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!CreateDCW                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!CreateDCA                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!GetPixel

PhattCasper · 27.03.2013, 09:25

gmer log 4

Code:

ATTFilter

.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!StretchBlt                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb03b0
.text  C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3828] C:\Windows\system32\GDI32.dll!PlgBlt                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0378
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                         0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                              0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                      0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                   0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                         0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                 0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                  0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                              0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                               0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                    0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                               0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                       0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                   0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                      0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                    0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                           0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                          0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                            0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                      0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                    0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                               0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                               0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[4000] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                         0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                  0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                       0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                               0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                            0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                  0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                          0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                           0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                       0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                        0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                             0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                        0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                            0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                               0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                         0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                             0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                    0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                   0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                         0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                     0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                               0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                             0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                        0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                        0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                  0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                        00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                 0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!BitBlt                                                   0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!StretchBlt                                               0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                  0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!GetPixel                                                 0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                   0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                      0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                   0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageW                                            0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                     0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                         0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                          0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!PostMessageW                                            0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!GetKeyState                                             0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SetParent                                               0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!EnableWindow                                            0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!MoveWindow                                              0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!PostMessageA                                            0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                      0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageA                                            0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                   0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                       0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                      0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                    0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                     0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                       0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                      0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                     0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                     0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                        0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                        0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendInput                                               0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!GetClipboardData                                        0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                           0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!mouse_event                                             0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!keybd_event                                             0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                    0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                      0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!BlockInput                                              0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                 0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                  0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                                0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[4016] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                               0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                      0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                           0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                   0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                      0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                              0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                               0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                           0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                            0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                 0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                            0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                    0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                   0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                             0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                 0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                        0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                       0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                             0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                         0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                   0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                 0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                            0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                            0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                      0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                            00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                     0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!BitBlt                                                       0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                    0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                   0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                      0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!GetPixel                                                     0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                    0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                       0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                          0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                       0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageW                                                0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                         0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                             0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                              0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!PostMessageW                                                0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!GetKeyState                                                 0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SetParent                                                   0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!EnableWindow                                                0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!MoveWindow                                                  0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!PostMessageA                                                0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                          0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageA                                                0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                       0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                           0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                          0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                        0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                         0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                           0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                          0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                         0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                         0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                            0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                            0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendInput                                                   0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!GetClipboardData                                            0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                               0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!mouse_event                                                 0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!keybd_event                                                 0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                        0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                          0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!BlockInput                                                  0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                     0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                      0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                    0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Hotspot Shield\bin\openvpntray.exe[4144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                   0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtClose                                  0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                       0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                               0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                            0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                  0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                          0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                           0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                       0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                        0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                             0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                        0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                            0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject               0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                         0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                             0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                    0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                   0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                         0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                     0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                               0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                             0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW                        0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA                        0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW                  0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters        00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                      0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                   0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendMessageW                            0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                     0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SetWinEventHook                         0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!RegisterHotKey                          0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!PostMessageW                            0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!GetKeyState                             0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SetParent                               0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!EnableWindow                            0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!MoveWindow                              0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!PostMessageA                            0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                      0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendMessageA                            0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                   0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                       0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                      0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                    0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                     0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                       0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                      0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                     0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                     0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                        0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!GetKeyboardState                        0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendInput                               0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!GetClipboardData                        0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                           0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!mouse_event                             0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!keybd_event                             0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                    0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                      0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!BlockInput                              0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                 0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!DeleteDC                                 0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!BitBlt                                   0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!CreateDCA                                0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!StretchBlt                               0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!MaskBlt                                  0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!GetPixel                                 0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!CreateDCW                                0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\GDI32.dll!PlgBlt                                   0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[1016] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                  0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[3788] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtClose                            0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                 0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                         0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                      0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken            0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                    0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                     0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                 0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                  0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                       0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                  0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort          0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                      0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject         0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                   0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                       0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject              0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation             0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                   0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl               0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                         0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                       0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW                  0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA                  0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW            0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters  00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW             0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendMessageW                      0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW               0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SetWinEventHook                   0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!RegisterHotKey                    0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!PostMessageW                      0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!GetKeyState                       0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SetParent                         0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!EnableWindow                      0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!MoveWindow                        0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!PostMessageA                      0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendMessageA                      0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA             0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                 0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW              0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA               0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                 0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA               0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW               0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                  0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!GetKeyboardState                  0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendInput                         0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!GetClipboardData                  0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                     0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!mouse_event                       0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!keybd_event                       0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA              0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!BlockInput                        0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices           0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!DeleteDC                           0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!BitBlt                             0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!CreateDCA                          0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!StretchBlt                         0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!MaskBlt                            0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!GetPixel                           0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!CreateDCW                          0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\GDI32.dll!PlgBlt                             0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA            0000000076bf2538 5 bytes JMP 00000001100244d0
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69          0000000076f11465 2 bytes [F1, 76]
.text  C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155         0000000076f114bb 2 bytes [F1, 76]
.text  ...                                                                                                                                                        * 2
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\svchost.exe[2100] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                           0000000077cb3ae0 5 bytes JMP 000000016fff0110
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                             0000000077cb7a90 5 bytes JMP 000000016fff0d50
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                0000000077ce1400 8 bytes JMP 000000016fff00d8
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                     0000000077ce15d0 8 bytes JMP 000000016fff0a78
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                             0000000077ce1640 8 bytes JMP 000000016fff0c00
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                          0000000077ce1680 8 bytes JMP 000000016fff0b90
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                0000000077ce1720 8 bytes JMP 000000016fff0c38
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                        0000000077ce17b0 8 bytes JMP 000000016fff0b58
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                         0000000077ce17f0 8 bytes JMP 000000016fff0998
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                      0000000077ce1840 1 byte JMP 000000016fff09d0
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2                                                                  0000000077ce1842 6 bytes {JMP 0xfffffffff830f190}
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                           0000000077ce1860 8 bytes JMP 000000016fff0bc8
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                      0000000077ce1a50 8 bytes JMP 000000016fff0d18
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                              0000000077ce1b60 8 bytes JMP 000000016fff0960
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                          0000000077ce1c30 8 bytes JMP 000000016fff0ab0
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                             0000000077ce1d80 8 bytes JMP 000000016fff0c70
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                       0000000077ce1d90 8 bytes JMP 000000016fff0ce0
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                           0000000077ce2100 8 bytes JMP 000000016fff0ae8
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                  0000000077ce2190 8 bytes JMP 000000016fff0ca8
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                 0000000077ce2a00 8 bytes JMP 000000016fff0b20
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                       0000000077ce2a80 8 bytes JMP 000000016fff0a08
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                   0000000077ce2b00 8 bytes JMP 000000016fff0a40
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW                                                                0000000077b7a420 12 bytes JMP 000000016fff01b8
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\kernel32.dll!CreateProcessW                                                                      0000000077b91b50 12 bytes JMP 000000016fff0148
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\kernel32.dll!CreateProcessA                                                                      0000000077c08800 7 bytes JMP 000000016fff0180
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters                                                      000007fefde169a0 7 bytes JMP 000007fffdbb0148
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!DeleteDC                                                                               000007fefff322cc 5 bytes JMP 000007fffdbb0260
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!BitBlt                                                                                 000007fefff324c0 5 bytes JMP 000007fffdbb0298
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!MaskBlt                                                                                000007fefff35be0 5 bytes JMP 000007fffdbb02d0
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!CreateDCW                                                                              000007fefff38398 9 bytes JMP 000007fffdbb01f0
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!CreateDCA                                                                              000007fefff389c8 9 bytes JMP 000007fffdbb01b8
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!GetPixel                                                                               000007fefff39344 5 bytes JMP 000007fffdbb0228
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!StretchBlt                                                                             000007fefff3b9e8 5 bytes JMP 000007fffdbb0340
.text  C:\Windows\system32\AUDIODG.EXE[3932] C:\Windows\System32\GDI32.dll!PlgBlt                                                                                 000007fefff45410 5 bytes JMP 000007fffdbb0308
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                     0000000077e8f9d0 5 bytes JMP 000000011001d120
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                          0000000077e8fca0 5 bytes JMP 000000011002fc20
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                  0000000077e8fd54 5 bytes JMP 000000011002e100
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                               0000000077e8fdb8 5 bytes JMP 000000011002ed90
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                     0000000077e8feb0 5 bytes JMP 000000011002c3c0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                             0000000077e8ff94 5 bytes JMP 000000011002e7a0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                              0000000077e8fff4 2 bytes JMP 0000000110030080
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 3                                                          0000000077e8fff7 2 bytes [1A, 98]
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                           0000000077e90074 5 bytes JMP 000000011002fe40
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                0000000077e900a4 5 bytes JMP 000000011002e400
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                           0000000077e903a8 5 bytes JMP 000000011002cde0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                   0000000077e90540 5 bytes JMP 000000011002b670
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                               0000000077e90684 5 bytes JMP 000000011002f8b0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                  0000000077e9087c 5 bytes JMP 000000011002bfe0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                            0000000077e90894 5 bytes JMP 000000011002ca40
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                0000000077e90de4 5 bytes JMP 000000011002f6a0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                       0000000077e90ec8 5 bytes JMP 000000011002f220
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                      0000000077e91bd4 5 bytes JMP 000000011002f460
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                            0000000077e91ca4 5 bytes JMP 000000011002c670
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                        0000000077e91d7c 5 bytes JMP 000000011002f020
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                  0000000077eac43a 5 bytes JMP 0000000110027f40
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                0000000077eb11d7 7 bytes JMP 000000011001d240
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                           0000000075a4103d 5 bytes JMP 0000000110025070
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                           0000000075a41072 5 bytes JMP 0000000110025c00
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                     0000000075a6c9b5 5 bytes JMP 0000000110023ba0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                           00000000773aed6a 5 bytes JMP 000000011001d270
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                         0000000076e18bff 5 bytes JMP 000000011001b6e0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                      0000000076e190d3 7 bytes JMP 000000011001c470
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageW                                                               0000000076e19679 5 bytes JMP 000000011001b1a0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                        0000000076e197d2 5 bytes JMP 000000011001ac20
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                            0000000076e1ee09 5 bytes JMP 000000011001c160
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                             0000000076e1efc9 5 bytes JMP 0000000110018140
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!PostMessageW                                                               0000000076e212a5 5 bytes JMP 000000011001bc20
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!GetKeyState                                                                0000000076e2291f 5 bytes JMP 00000001100193d0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SetParent                                                                  0000000076e22d64 5 bytes JMP 0000000110018980
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!EnableWindow                                                               0000000076e22da4 5 bytes JMP 0000000110017ea0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!MoveWindow                                                                 0000000076e23698 5 bytes JMP 0000000110018c20
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!PostMessageA                                                               0000000076e23baa 5 bytes JMP 000000011001bec0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                         0000000076e23c61 5 bytes JMP 000000011001b980
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageA                                                               0000000076e2612e 5 bytes JMP 000000011001b440
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                      0000000076e26c30 7 bytes JMP 000000011001c690
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                          0000000076e27603 5 bytes JMP 000000011001c8b0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                         0000000076e27668 5 bytes JMP 000000011001a160
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                       0000000076e276e0 5 bytes JMP 000000011001a6a0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                        0000000076e2781f 5 bytes JMP 000000011001aee0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                          0000000076e2835c 5 bytes JMP 000000011001cb20
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                         0000000076e2c4b6 5 bytes JMP 0000000110018780
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                        0000000076e3c112 5 bytes JMP 0000000110019eb0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                        0000000076e3d0f5 5 bytes JMP 0000000110019c00
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                           0000000076e3eb96 5 bytes JMP 0000000110019120
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                           0000000076e3ec68 5 bytes JMP 0000000110019680
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendInput                                                                  0000000076e3ff4a 5 bytes JMP 0000000110019930
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                           0000000076e59f1d 5 bytes JMP 0000000110018370
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                              0000000076e61497 5 bytes JMP 0000000110017c90
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!mouse_event                                                                0000000076e7027b 5 bytes JMP 00000001100297c0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!keybd_event                                                                0000000076e702bf 5 bytes JMP 00000001100299d0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                       0000000076e76cfc 5 bytes JMP 000000011001a960
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                         0000000076e76d5d 5 bytes JMP 000000011001a400
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!BlockInput                                                                 0000000076e77dd7 5 bytes JMP 0000000110018580
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                    0000000076e788eb 5 bytes JMP 0000000110018f00
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                    0000000076b058b3 5 bytes JMP 0000000110028d10
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                      0000000076b05ea6 5 bytes JMP 0000000110029530
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                   0000000076b07bcc 5 bytes JMP 0000000110029e10
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                                  0000000076b0b895 5 bytes JMP 0000000110028d50
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                     0000000076b0c332 5 bytes JMP 0000000110029280
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                    0000000076b0cbfb 5 bytes JMP 0000000110028ae0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                   0000000076b0e743 5 bytes JMP 0000000110029d10
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                      0000000076b34646 5 bytes JMP 0000000110028ff0
.text  C:\Users\Hoof\Downloads\gmer_2.1.19155.exe[2204] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                     0000000076bf2538 5 bytes JMP 00000001100244d0

---- EOF - GMER 2.1 ----

so das war alles. Ich hoffe du kannst damit was anfangen. Vielen Dank schon mal.

M-K-D-B · 27.03.2013, 10:59

Servus,

Zitat:

AdwCleaner[R1].txt - [963 octets] - [25/03/2013 20:20:22]
AdwCleaner[S2].txt - [1024 octets] - [25/03/2013 20:20:50]
AdwCleaner[S3].txt - [959 octets] - [26/03/2013 23:01:52]

Ich sags nochmal.... bitte ALLE Logdateien von AdwCleaner posten... insbesondere S1, S2, S3, etc.

Schritt 1

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
Drücke eine beliebige Taste, um das Tool zu starten.
Je nach System kann der Scan eine Weile dauern.
Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.

Schritt 2
Scan mit Combofix

WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link

WICHTIG: Speichere Combofix auf deinem Desktop.

Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!

Wenn Combofix fertig ist, wird es ein Logfile erstellen.

Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

Schritt 3
Bitte lade dir ZOEK auf deinen Desktop und starte es.

Klicke auf Options
Hake an:
- Firefox Look
- Chrome Look
Klicke auf Run Script und warte bis das Programm durchgelaufen ist.
Am Ende erstellt es ein Logfile (auch hier: c:\zoek-results.txt)

Poste mir dieses Logfile.

Bitte poste mit deiner nächsten Antwort

die Logdatei von JRT,
die Logdatei von ComboFix,
die Logdatei von zoek.

PhattCasper · 27.03.2013, 11:45

Hier kommen die Logs

AdwCleaner[R1]

Code:

ATTFilter

# AdwCleaner v2.115 - Datei am 25/03/2013 um 20:20:22 erstellt
# Aktualisiert am 17/03/2013 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzer : Hoof - HOOF-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Hoof\Downloads\adwcleaner.exe
# Option [Suche]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****


***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Google Chrome v25.0.1364.172

Datei : C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

-\\ Opera v12.1.1532.0

Datei : C:\Users\Hoof\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [836 octets] - [25/03/2013 20:20:22]

########## EOF - C:\AdwCleaner[R1].txt - [895 octets] ##########

AdwCleaner[S2]

Code:

ATTFilter

# AdwCleaner v2.115 - Datei am 25/03/2013 um 20:20:50 erstellt
# Aktualisiert am 17/03/2013 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzer : Hoof - HOOF-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Hoof\Downloads\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****


***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Google Chrome v25.0.1364.172

Datei : C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

-\\ Opera v12.1.1532.0

Datei : C:\Users\Hoof\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [963 octets] - [25/03/2013 20:20:22]
AdwCleaner[S2].txt - [897 octets] - [25/03/2013 20:20:50]

########## EOF - C:\AdwCleaner[S2].txt - [956 octets] ##########

AdwCleaner[S3]

Code:

ATTFilter

# AdwCleaner v2.115 - Datei am 26/03/2013 um 23:01:52 erstellt
# Aktualisiert am 17/03/2013 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzer : Hoof - HOOF-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Hoof\Desktop\adwcleaner (1).exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****


***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Google Chrome v25.0.1364.172

Datei : C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

-\\ Opera v12.1.1532.0

Datei : C:\Users\Hoof\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [963 octets] - [25/03/2013 20:20:22]
AdwCleaner[S2].txt - [1024 octets] - [25/03/2013 20:20:50]
AdwCleaner[S3].txt - [959 octets] - [26/03/2013 23:01:52]

########## EOF - C:\AdwCleaner[S3].txt - [1018 octets] ##########

AdwCleaner[S4]

Code:

ATTFilter

# AdwCleaner v2.115 - Datei am 27/03/2013 um 11:05:47 erstellt
# Aktualisiert am 17/03/2013 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzer : Hoof - HOOF-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Hoof\Desktop\Nice Appz\adwcleaner (1).exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****


***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Google Chrome v25.0.1364.172

Datei : C:\Users\Hoof\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

-\\ Opera v12.1.1532.0

Datei : C:\Users\Hoof\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [963 octets] - [25/03/2013 20:20:22]
AdwCleaner[S2].txt - [1024 octets] - [25/03/2013 20:20:50]
AdwCleaner[S3].txt - [1087 octets] - [26/03/2013 23:01:52]
AdwCleaner[S4].txt - [1029 octets] - [27/03/2013 11:05:47]

########## EOF - C:\AdwCleaner[S4].txt - [1089 octets] ##########

JRT Log

Code:

ATTFilter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows 7 Professional x64
Ran by Hoof on 27.03.2013 at 11:11:04,40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Hoof\AppData\Roaming\strongvault"
Successfully deleted: [Folder] "C:\Users\Hoof\appdata\local\stronghold_llc"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 27.03.2013 at 11:25:01,00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Combo Fix Log

Code:

ATTFilter

ComboFix 13-03-27.01 - Hoof 27.03.2013  11:29:44.1.8 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.8183.5994 [GMT 1:00]
ausgeführt von:: c:\users\Hoof\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\SecureW2
c:\program files (x86)\SecureW2\Uninstall.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2\TTLS Manager.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2\Uninstall.lnk
c:\users\Hoof\AppData\Roaming\Dyyno
c:\users\Hoof\AppData\Roaming\Dyyno\dgcsrv.xml
c:\users\Hoof\AppData\Roaming\Dyyno\dyyno.xml
c:\users\Hoof\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SecureW2
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
K:\Autorun.inf
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-02-27 bis 2013-03-27  ))))))))))))))))))))))))))))))
.
.
2013-03-27 10:34 . 2013-03-27 10:34	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-03-27 10:11 . 2013-03-27 10:11	--------	d-----w-	c:\windows\ERUNT
2013-03-27 10:10 . 2013-03-27 10:10	--------	d-----w-	C:\JRT
2013-03-25 18:44 . 2009-01-25 11:14	17272	----a-w-	c:\windows\system32\sdnclean64.exe
2013-03-25 18:44 . 2013-03-25 18:44	--------	d-----w-	c:\program files (x86)\Spybot - Search & Destroy 2
2013-03-22 15:10 . 2013-03-22 15:10	--------	d-----w-	c:\users\Hoof\AppData\Roaming\Avira
2013-03-22 15:04 . 2013-03-22 07:47	27800	----a-w-	c:\windows\system32\drivers\avkmgr.sys
2013-03-22 15:04 . 2013-03-22 07:47	129216	----a-w-	c:\windows\system32\drivers\avipbb.sys
2013-03-22 15:04 . 2013-03-22 07:47	99912	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2013-03-22 15:03 . 2013-03-22 15:03	--------	d-----w-	c:\programdata\Avira
2013-03-22 15:03 . 2013-03-22 15:03	--------	d-----w-	c:\program files (x86)\Avira
2013-03-20 17:49 . 2013-03-20 17:49	--------	d-----w-	c:\users\Hoof\AppData\Roaming\Malwarebytes
2013-03-20 17:49 . 2013-03-26 15:27	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-20 17:49 . 2013-03-20 17:49	--------	d-----w-	c:\programdata\Malwarebytes
2013-03-20 17:49 . 2012-12-14 15:49	24176	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-03-20 10:24 . 2013-03-20 10:24	--------	d-----w-	c:\program files (x86)\Microsoft XNA
2013-03-19 06:16 . 2013-03-19 06:16	--------	d-----w-	c:\users\Hoof\AppData\Roaming\Intel Corporation
2013-03-19 06:11 . 2013-03-19 06:11	--------	d-----w-	c:\program files (x86)\Common Files\Intel Corporation
2013-03-18 17:29 . 2013-03-18 17:48	--------	d-----w-	c:\users\Hoof\AppData\Roaming\Crayon Physics Deluxe
2013-03-18 15:42 . 2013-03-18 15:42	669184	----a-w-	c:\windows\SysWow64\pbsvc.exe
2013-03-18 15:12 . 2013-03-18 15:12	--------	d-----w-	C:\Intel
2013-03-18 15:12 . 2000-01-01 00:00	652344	----a-w-	c:\windows\system32\drivers\iaStorA.sys
2013-03-18 15:12 . 2000-01-01 00:00	28216	----a-w-	c:\windows\system32\drivers\iaStorF.sys
2013-03-16 08:29 . 2013-03-16 08:29	--------	d-----w-	c:\windows\SysWow64\RTCOM
2013-03-16 08:29 . 2013-03-16 08:29	--------	d-----w-	c:\program files\Realtek
2013-03-14 19:26 . 2013-03-14 19:26	--------	d-----w-	c:\programdata\Battle.net
2013-03-14 19:12 . 2013-03-14 19:31	--------	d-----w-	c:\programdata\Blizzard Entertainment
2013-03-14 19:12 . 2013-03-14 22:49	--------	d-----w-	c:\program files (x86)\StarCraft II
2013-03-13 09:53 . 2013-03-13 16:33	--------	d-----w-	c:\program files (x86)\audiograbber
2013-03-06 08:48 . 2013-03-06 08:48	--------	d-----w-	c:\users\Hoof\AppData\Roaming\Trine2
2013-03-05 19:29 . 2013-03-05 19:29	--------	d-----w-	c:\users\Hoof\AppData\Roaming\runic games
2013-03-05 17:51 . 2013-03-05 19:34	--------	d-----w-	c:\program files (x86)\Torchlight
2013-03-02 17:02 . 2008-07-12 07:18	467984	----a-w-	c:\windows\SysWow64\d3dx10_39.dll
2013-03-02 17:02 . 2008-07-12 07:18	1493528	----a-w-	c:\windows\SysWow64\D3DCompiler_39.dll
2013-03-02 17:02 . 2008-07-12 07:18	540688	----a-w-	c:\windows\system32\d3dx10_39.dll
2013-03-02 17:02 . 2008-07-12 07:18	1942552	----a-w-	c:\windows\system32\D3DCompiler_39.dll
2013-03-02 17:02 . 2008-07-12 07:18	4992520	----a-w-	c:\windows\system32\D3DX9_39.dll
2013-03-02 17:00 . 2013-03-04 08:01	--------	d-----w-	c:\program files (x86)\Trine
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-23 08:00 . 2013-01-13 07:25	15712	----a-w-	c:\windows\system32\drivers\SWDUMon.sys
2013-03-18 15:42 . 2011-06-13 16:57	103736	----a-w-	c:\windows\SysWow64\PnkBstrB.exe
2013-03-18 15:42 . 2011-06-13 16:57	66872	----a-w-	c:\windows\SysWow64\PnkBstrA.exe
2013-03-18 06:50 . 2011-10-06 23:01	281688	----a-w-	c:\windows\SysWow64\PnkBstrB.xtr
2013-03-18 06:50 . 2011-06-13 16:57	281688	----a-w-	c:\windows\SysWow64\PnkBstrB.ex0
2013-03-12 21:41 . 2012-04-01 06:27	693976	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-12 21:41 . 2011-06-20 19:51	73432	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-12 20:31 . 2013-01-07 07:13	56072	----a-w-	c:\windows\system32\certsentry.dll
2013-03-12 20:31 . 2013-01-07 07:13	47368	----a-w-	c:\windows\SysWow64\certsentry.dll
2013-02-22 01:43 . 2013-02-22 01:43	46280	----a-w-	c:\windows\system32\drivers\hssdrv6.sys
2013-02-14 17:50 . 2013-02-14 17:50	66728	----a-w-	c:\windows\system32\drivers\vrtaucbl.sys
2013-01-18 14:11 . 2013-01-18 14:11	40960	----a-r-	c:\users\Hoof\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2013-01-18 14:11 . 2013-01-18 14:11	40960	----a-r-	c:\users\Hoof\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2013-01-05 03:48 . 2013-01-05 03:48	42328	----a-w-	c:\windows\system32\drivers\taphss6.sys
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	129272	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	129272	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	129272	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	129272	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2000-01-01 43608]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-12-19 642808]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2000-01-01 56128]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-03-22 385248]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 KMService;KMService;c:\windows\system32\srvany.exe [x]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-07-29 16776]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-07-29 9096]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-06-29 132608]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2009-06-29 116096]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-08-20 19032]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-08-20 12384]
R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24\RivaTuner64.sys [2013-01-15 19952]
R3 SliceDisk5;SliceDisk5;c:\program files\A-FF Find and Mount\slicedisk-x64.sys [x]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2013-03-23 15712]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys [2009-10-14 11856]
R3 VLAN;Realtek Virtual Miniport Driver for VLAN (NDIS 6.2);c:\windows\system32\DRIVERS\RtVLAN60.sys [x]
R4 Dyyno Launcher;Dyyno Service;c:\program files (x86)\Dyyno Broadcaster\launcherd.exe [2011-08-31 415072]
R4 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [2012-10-23 230416]
R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe [2011-11-21 1403200]
R4 VMCService;Vodafone Mobile Connect Service;c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2009-09-11 9216]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys [2000-01-01 652344]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys [2000-01-01 28216]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-22 27800]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-11-07 584056]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2012-11-07 38144]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-08-23 270912]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [2013-02-22 46280]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-12-19 240640]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-03-22 86752]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [2013-03-12 2074768]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe [2013-02-23 545576]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2013-02-23 389928]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage-Technologie;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2000-01-01 14904]
S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2000-01-01 72280]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-11-13 1103392]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-11-13 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-11-13 168384]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-08-29 645048]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-11-06 96256]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [2013-02-14 66728]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-11-19 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-11-19 181248]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2000-01-01 685672]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [2013-01-05 42328]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-14 18:34	1629648	----a-w-	c:\program files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Inhalt des "geplante Tasks" Ordners
.
2013-03-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 21:41]
.
2013-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-07 09:49]
.
2013-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-07 09:49]
.
2013-03-23 c:\windows\Tasks\SlimDrivers Scan.job
- c:\program files (x86)\SlimDrivers\SlimDrivers.exe [2012-12-16 11:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	162552	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	162552	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	162552	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32	162552	----a-w-	c:\users\Hoof\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 9577680]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2000-01-01 13263072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll c:\windows\SysWOW64\guard32.dll c:\windows\System32\guard64.dll
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;10.*;192.168.*;127.0.0.1:895;127.0.0.1:896
uInternet Settings,ProxyServer = proxy.uni-hamburg.de:3128
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\Hoof\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\users\Hoof\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.2.1
DPF: CC679CB8-DC4B-458B-B817-D447B3B6AC31 - vpnweb.cab
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-SecureW2 EAP Suite - c:\program files (x86)\SecureW2\Uninstall.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*Œ#[]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*Œ#[\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**(*ƒ("!]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**(*ƒ("!\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5b,4c,1d,da,11,ad,b0,f3,86,ca,3f,fa,70,dd,d1,78,66,2b,b8,f8,f1,c6,e1,
   84,5b,83,a4,29,9b,32,f1,a7,5f,ca,95,5f,94,bf,f2,36,54,41,70,6c,8c,7f,df,83,\
"??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
.
[HKEY_USERS\S-1-5-21-1699689582-2667143130-2167436585-1000\Software\SecuROM\License information*]
"datasecu"=hex:44,9c,cf,98,c6,9e,ea,a4,db,90,9c,53,e6,6d,33,aa,51,32,14,a9,e8,
   2b,17,fb,0c,11,ef,85,38,69,ee,03,f7,a4,a1,df,d0,17,90,e5,1b,ce,c9,e5,21,b3,\
"rkeysecu"=hex:7d,40,10,cb,c7,39,e0,67,0a,69,a8,47,07,da,5b,5c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-03-27  11:36:12
ComboFix-quarantined-files.txt  2013-03-27 10:36
.
Vor Suchlauf: 12 Verzeichnis(se), 85.724.295.168 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 85.668.904.960 Bytes frei
.
- - End Of File - - 5C2C885E4F3FACD27FAE057924E7C37C

zoek Log

Code:

ATTFilter

Zoek.exe Version 4.0.0.2 Updated 23-03-2013
Tool run by Hoof on 27.03.2013 at 11:37:34,43.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected

==== Chrome Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
akglponhhkihkhccencmlfbbboejnelg - C:\Users\Hoof\AppData\Local\CRE\akglponhhkihkhccencmlfbbboejnelg.crx[14.11.2012 16:03]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx[02.10.2012 12:14]
nneajnkjbffgblleaoojgaacokifdkhm - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx[23.05.2011 19:24]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
akglponhhkihkhccencmlfbbboejnelg - C:\Users\Hoof\AppData\Local\CRE\akglponhhkihkhccencmlfbbboejnelg.crx[14.11.2012 16:03]
nikpibnbobmbdbheedjfogjlikpgpnhp - C:\Users\Hoof\AppData\Roaming\DVDVideoSoft\dvsYoutubeDownload.crx[26.09.2012 06:55]

WOT - Hoof - Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp
Last updated at time on date - Hoof - Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb
1-ClickWeather for Chrome - Hoof - Default\Extensions\fgmbighdoomjmebfbgplfmhcdbomjkoa
Stealthy - Hoof - Default\Extensions\ieaebnkibonmpbhdaanjkmedikadnoje
Auto Replay for YouTube - Hoof - Default\Extensions\kanbnempkjnhadplbfgdaagijdbdbjeb
Lyrics for YouTube\u2122 - Hoof - Default\Extensions\kggldhblikkmmnbkeococbeoaacgelkf
Auto HD For YouTube - Hoof - Default\Extensions\koiaokdomkpjdgniimnkhgbilbjgpeak
Stop Autoplay for YouTube. - Hoof - Default\Extensions\lgdfnbpkmkkdhgidgcpdkgpdlfjcgnnh
Google Mail Checker - Hoof - Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff
Anatronica - 3D Interactive Anatomy - Hoof - Default\Extensions\nalpooddpdnhjicpjgnhaihnnfnmbpee
Popout for YouTube\u2122 - Hoof - Default\Extensions\pofekaindcmmojfnfgbpklepkjfilcep

Das müsste alles sein. Danke schon mal

M-K-D-B · 27.03.2013, 12:48

Servus,

Aus deiner Logdatei:

Zitat:

R2 KMService;KMService;c:\windows\system32\srvany.exe

Die von mir gelisteten Einträge deuten stark darauf hin, dass auf diesem Rechner Software benutzt wird, die nicht legal erworben wurde.

Supportstopp

Lesestoff:
Cracks und Keygens
Den Kopierschutz von Software zu umgehen ist nach geltendem Recht illegal. Die Logfiles deuten stark darauf hin, dass du nicht legal erworbene Software einsetzt. Zudem sind Cracks und Patches aus dubioser Quelle sehr oft mit Schädlingen versehen, womit man sich also fast vorsätzlich infiziert.

Wir haben uns hier auf dem Board darauf geeinigt, dass wir an dieser Stelle nicht weiter bereinigen, da wir ein solches Vorgehen nicht unterstützen. Hinzu kommt, dass wir dich in unserer Anleitung und auch in diesem Wichtig-Thema unmissverständlich darauf hingewiesen haben, wie wir damit umgehen werden. Saubere, gute Software hat seinen Preis und die Softwarefirmen leben von diesen Einnahmen.

Unsere Hilfe beschränkt sich daher nur auf das Neuaufsetzen und Absichern deines Systems.
Fragen dazu beantworten wir dir aber weiterhin gerne und zwar in unserem Forum.

Damit ist das Thema beendet.