Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Rootkit - Similar to TDSS


  • Please log in to reply
10 replies to this topic

#1 lexmar

lexmar

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 23 March 2009 - 03:41 PM

I am helping a college student fix her laptop which was nearly inoperable when she brought it to me. Alas, her McAfee was 21 months since the last database update and expired.

I plugged in a flash drive with Malwarebytes and immediately ran into something I hadn't seen before. My mbam-setup.exe wouldn't run! So, I figured I had messed up the file somehow and pulled the stick and went to my desktop to load a new one on it. BIG MISTAKE! Seems that whatever it was on her machine loaded on a Recycle Bin and an Autorun.inf on the stick and it attacked my machine via the spool server. SDAV let me block it, but I spent the next 3 hours running every tool I could think of on my desktop to make sure it was still clean then, burned the latest tools onto a CD and vowed not to use a stick again on a machine I had no idea what was wrong with.

Armed with a CD this time and an hours old copy of mbam and some searching on BleepingComputer I went back after it.

System: IBM T43 laptop
O/S Info: XP Pro SP2 installed over the original XP Home with Novell login usurping the Windows login.

1) BSOD'd when I tried to boot in safe mode.
2) Dragged mbam installer to desktop and renamed it. Installer ran, skipped the update phase as I didn't want to connect to a network yet.
3) Mbam wouldn't run. Uninstalled McAfee. Still wouldn't run.
4) Copied mbam and renamed it. Ran the copy and found a bunch of stuff, had it delete it. Rebooted as keys were marked for deletion.
5) Ran the copy again, found a bunch more stuff, had it delete it again and rebooted.
6) Tried to run the copy again and it ran over a PDF file in the user files and it froze.
7) Killed the stalled program in task manager.
8) Deleted the offending PDF file.
9) Tried to run the renamed mbam and it wouldn't launch. (What the heck is on this thing???)
10) Copied the entire malwarebytes folded and renamed it, renamed mbam as well.
11) Found a bunch of stuff, deleted it and rebooted.
12) Realized I had a rootkit - Next Spyware Doctor with Antivirus. No go on the installer.
13) Mbam had done enough that I could get to safe mode though. Got SDAV installer to run in safe mode.
14) SDAV found TDSS!SD6 rootkit and partially(?) killed it.
15) Rebooted and tried SDAV again, found a slew of junk deleted it and rebooted.
16) Tried the regular mbam and still blocked!!!
17) Ran SDAV again - showed clean.
18) Ran mbam right behind it found the following:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f68c6f6c-e11b-40b4-bd7e-7cab04d460a4} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f68c6f6c-e11b-40b4-bd7e-7cab04d460a4} (Trojan.BHO.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f68c6f6c-e11b-40b4-bd7e-7cab04d460a4} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atl7.dll (Trojan.BHO.H) -> No action taken.
C:\Documents and Settings\student\Local Settings\Temp\kkzhuaot.dat (Rootkit.Agent) -> No action taken.

19) Told it to fix it and rebooted. Ran again and they were still there! Tried ping ponging between SDAV and mbam, connected to internet and downloaded updates, reran and rebooted several times. They kept coming back.
20) Rebooted in BartPE. Manually deleted atl7.dll and kkzhuaot.dat. Rebooted to safe mode.
21) Ran mbam and whatever it was launched a second instance of mbam and froze up the machine. (visible in task manager not visible on desktop)
22) Copied the malwarebytes folder to a new location, renamed it and the exe.
23) Ran the newly relocated/renamed mbam and killed off what I could of the rootkits.
More researched showed that some people were having luck with killing off hidden bogus device drivers that are masking or repopulating the nasties.
24) Found about 6 NIC drivers for devices not present in the machine. Couldn't unistall them but could disable them.
25) Rebooted, checked that the drivers were still disabled.
26) Ran 3rd renamed mbam and have it down to this:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The system still freezes up and acts strangely. I am at the end of my ability to help this girl short of telling her to wipe the drive and reinstall. She has her senior project on the machine and her student teaching materials and I really want to be able to help her out. I would be happy to run HJT or some other tool to help diagnose the problem and would really appreciate your help and guidance on this little monster.

BC AdBot (Login to Remove)

 


#2 lexmar

lexmar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 31 March 2009 - 09:17 AM

Have not heard a response in 5 days plus. Just posting a reminder message.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:28 PM

Posted 31 March 2009 - 09:43 AM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
You may have to rename gmer to get it to run
Chewy

No. Try not. Do... or do not. There is no try.

#4 lexmar

lexmar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 03 April 2009 - 06:13 PM

Thank You for your help. Gmer results follow this note.
From the infected machine gmer.net website in IE is blocked, the program once loaded to the desktop via sneaker-net did work without having to change the name though.

As far as I was able to get before, there are are 4-5 hidden NIC drivers installed for nonexistant cards that I can't delete because they are required for startup. I believe they are reloading the rookit after Malwarebytes removes the keys it sees.

Here is the gmer logfile it took well over an hour to run:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-03 18:48:24
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xF27427A6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xF273F794] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xF273FF1E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xF27431F0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xF274342A] <-- ROOTKIT !!!
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF851AA3C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xF274412A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xF274383C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xF273ED0A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xF273E384] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805AFD87 7 Bytes JMP 82BAD2F0
? nwfilter.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\rpcnet.exe[148] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rpcnet.exe[148] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\rpcnet.exe[148] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rpcnet.exe[148] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B60001
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\rpcnet.exe[148] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00900001
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F790F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F730F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[236] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F760F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C00001
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[284] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[416] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B10001
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[416] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[416] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[416] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[416] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[416] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[416] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[416] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01330001
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00990001
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[520] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\System32\svchost.exe[520] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[520] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[520] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[520] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[520] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00990001
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[536] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[536] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[536] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[536] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00650001
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[624] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\csrss.exe[640] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 013C0001
.text C:\WINDOWS\system32\winlogon.exe[664] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 02510001
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [78, 5F] {JS 0x61}
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AC0001
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\services.exe[708] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\services.exe[708] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\system32\services.exe[708] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\services.exe[708] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\services.exe[708] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\services.exe[708] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\services.exe[708] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\system32\services.exe[708] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\services.exe[708] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\services.exe[708] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\services.exe[708] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\services.exe[708] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\services.exe[708] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AD0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[712] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00FB0001
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\lsass.exe[720] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\lsass.exe[720] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\lsass.exe[720] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\lsass.exe[720] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\lsass.exe[720] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\lsass.exe[720] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\lsass.exe[720] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\lsass.exe[720] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\lsass.exe[720] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\lsass.exe[720] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\lsass.exe[720] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01070001
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\ibmpmsvc.exe[884] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[908] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[908] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[908] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01040001
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[908] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00EA0001
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[936] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[936] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[936] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[936] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[936] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[936] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[936] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C30001
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[992] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[992] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[992] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[992] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00720001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1048] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003F0001
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Activ Software\Activdriver\ActivControl2.exe[1056] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [78, 5F] {JS 0x61}
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 022E0001
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F7A0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7D0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\svchost.exe[1088] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\svchost.exe[1088] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\svchost.exe[1088] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\svchost.exe[1088] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01400001
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1140] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01360001
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1260] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00630001
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1340] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B90001
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[1368] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[1368] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[1368] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[1368] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A40001
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[1376] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[1376] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[1376] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wdfmgr.exe[1404] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\wdfmgr.exe[1404] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wdfmgr.exe[1404] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00660001
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1404] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00390001
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\TPHDEXLG.EXE[1424] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B00001
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[1476] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[1476] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[1476] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[1476] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00960001
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1496] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B10001
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe[1560] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A

********* Continued In Another Reply - File Too Long ********************

#5 lexmar

lexmar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 03 April 2009 - 06:22 PM

GMER LOG FILE CONTINUED

********************* BREAK 1 **********************************
.text C:\WINDOWS\system32\spoolsv.exe[1668] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1668] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\spoolsv.exe[1668] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1668] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01130001
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\spoolsv.exe[1668] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\wanmpsvc.exe[1760] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\wanmpsvc.exe[1760] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\wanmpsvc.exe[1760] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00DE0001
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\wanmpsvc.exe[1760] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B00001
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe[1776] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[1800] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\wuauclt.exe[1800] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[1800] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AE0001
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\wuauclt.exe[1800] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01540001
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C80001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1976] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 007F0001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\svchost.exe[2016] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2016] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\svchost.exe[2016] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2016] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00640001
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[2016] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\svchost.exe[2016] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\svchost.exe[2016] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[2016] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[2016] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\svchost.exe[2016] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\svchost.exe[2016] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\svchost.exe[2016] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\svchost.exe[2016] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[2016] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\QuickTime\QTTask.exe[2060] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\QuickTime\QTTask.exe[2060] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\QuickTime\QTTask.exe[2060] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00930001
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\QuickTime\QTTask.exe[2060] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003D0001
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\NWTRAY.EXE[2072] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F760F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AF0001
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\Ati2evxx.exe[2148] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2316] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\ctfmon.exe[2316] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2316] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AF0001
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\ctfmon.exe[2316] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TpShocks.exe[2336] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\TpShocks.exe[2336] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TpShocks.exe[2336] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AC0001
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\TpShocks.exe[2336] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[2384] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[2384] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[2384] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008A0001
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2384] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003E0001
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F790F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F730F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F760F5A
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[2488] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [41, 5F] {INC ECX; POP EDI}
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [05, 5F]
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F310F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F340F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F280F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F370F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F3A0F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F460F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F3D0F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F2B0F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\IBM\Desktop\gmer\gmer.exe[2508] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F430F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B50001
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe[2520] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RunDll32.exe[2572] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\RunDll32.exe[2572] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RunDll32.exe[2572] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00BE0001
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\RunDll32.exe[2572] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[2668] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\rundll32.exe[2668] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[2668] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00BE0001
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\rundll32.exe[2668] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00910001
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2708] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D90001
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2752] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\Explorer.EXE[2888] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[2888] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\Explorer.EXE[2888] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[2888] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C40001
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\Explorer.EXE[2888] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\Explorer.EXE[2888] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\Explorer.EXE[2888] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\Explorer.EXE[2888] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\Explorer.EXE[2888] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\Explorer.EXE[2888] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\Explorer.EXE[2888] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\Explorer.EXE[2888] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\Explorer.EXE[2888] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\Explorer.EXE[2888] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\Explorer.EXE[2888] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\Explorer.EXE[2888] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\Explorer.EXE[2888] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\Explorer.EXE[2888] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00950001
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe[3028] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008D0001
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe[3052] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00BE0001
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\rundll32.exe[3156] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
******************** BreaK 2 *******************************

#6 lexmar

lexmar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 03 April 2009 - 06:25 PM

GMER LOGFILE PART 3 CONTINUED (Sorry couldn't find a place to send it as an attachment for overlong post - can post the logfile to a website here or email the whole thing separately if you want it in one piece)

******************** BreaK 2 *******************************
.text C:\WINDOWS\System32\alg.exe[3436] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3436] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\WINDOWS\System32\alg.exe[3436] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3436] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00860001
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\WINDOWS\System32\alg.exe[3436] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\System32\alg.exe[3436] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\WINDOWS\System32\alg.exe[3436] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\System32\alg.exe[3436] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\System32\alg.exe[3436] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\System32\alg.exe[3436] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\WINDOWS\System32\alg.exe[3436] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\WINDOWS\System32\alg.exe[3436] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\System32\alg.exe[3436] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\System32\alg.exe[3436] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\WINDOWS\System32\alg.exe[3436] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\System32\alg.exe[3436] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\WINDOWS\System32\alg.exe[3436] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\System32\alg.exe[3436] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [3B, 5F]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0044A81D C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F400F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F340F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F430F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F460F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F520F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F490F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F370F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] shell32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F310F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] shell32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] shell32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F280F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3620] shell32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ICO.EXE[3720] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\WINDOWS\system32\ICO.EXE[3720] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ICO.EXE[3720] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A90001
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\ICO.EXE[3720] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [77, 5F] {JA 0x61}
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [65, 5F]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008C0001
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F670F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F700F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F730F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F610F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F790F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F580F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F520F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3808] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F550F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003C0001
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] SHELL32.dll!ShellExecuteExW 7CA01823 6 Bytes JMP 5F760F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] SHELL32.dll!ShellExecuteEx 7CA40C15 6 Bytes JMP 5F730F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] SHELL32.dll!ShellExecuteA 7CA40F40 6 Bytes JMP 5F790F5A
.text C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] SHELL32.dll!ShellExecuteW 7CAB4FD0 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [6B, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [59, 5F] {POP ECX; POP EDI}
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F310F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AA0001
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F400F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F370F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F430F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F520F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F610F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F640F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F490F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F460F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F700F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F670F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F550F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F340F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[4000] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F6D0F5A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1960] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1126653565\ee\AOLSoftware.exe[3904] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp pctfw2.sys (PC Tools TDI Driver/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACfrqaiqmo.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000e9b9d906e
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000e9bde57c5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e03b451e
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACfrqaiqmo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACfrqaiqmo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACqxiqyrbp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpkdaifub.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACrqttlrnp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACujxvkjtm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACpulkgrmy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UAChjpxewto.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAClobbvvxf.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACijyobqlx.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACevxehrbl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000e9b9d906e
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000e9bde57c5
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0020e03b451e
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACfrqaiqmo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACfrqaiqmo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACqxiqyrbp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACpkdaifub.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACrqttlrnp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACujxvkjtm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACpulkgrmy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UAChjpxewto.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UAClobbvvxf.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACijyobqlx.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACevxehrbl.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\config\software.LOG (size mismatch) 36864/28672 bytes

---- EOF - GMER 1.0.15 ----

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:28 PM

Posted 03 April 2009 - 06:40 PM

As you may have already figured out this is a nasty infection

Let's see if a different RootKitScanner can find the File

This shouldn't take long at all, if it works

http://www.malwarebytes.org/forums/index.php?showtopic=12709

You really need to consider posting in our HJT forum or reloading your computer but I can understand you wanting to beat this.
Chewy

No. Try not. Do... or do not. There is no try.

#8 lexmar

lexmar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 05 April 2009 - 12:12 PM

Tried the other tool it can see the driver UACd running in hidden services, the driver is UACfrqaiqmo.sys in System32\Drivers folder. It can't wipe or force delete it. Tried to find the file and delete it in BartPE but can't locate it. The UACd keys are empty. any ideas?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:28 PM

Posted 05 April 2009 - 05:54 PM

If you ran gmer and just scanned for SSD's, would it allow you to attack them?
Chewy

No. Try not. Do... or do not. There is no try.

#10 lexmar

lexmar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 06 April 2009 - 07:48 PM

Unistalled PCTools SDAV after seeing some of its processes still running after being disabled - thought it may be interfering with other tools. The RootRepeal installs MS System Recovery Console. The link you provided went to a forum where they were able to kill the service with either the MMSRC or Combofix. Other info there lead me to look at the non-plug-and-play devices again and I disabled tnsbjeov using MMSRC. Rebooted, ran Combofix. Combofix found UACd.sys, killed it and did a reboot. (Sorry - I forgot to keep the log from ComboFix) It continued to run and completed. Immediately ran MalwareBytes and it got the rest.

Malwarebytes' Anti-Malware 1.34
Database version: 1943
Windows 5.1.2600 Service Pack 2

4/6/2009 2:13:59 PM
mbam-log-2009-04-06 (14-13-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203806
Time elapsed: 34 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tnsbjeov (Rootkit.Agent.Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tnsbjeov (Rootkit.Agent.Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tnsbjeov (Rootkit.Agent.Z) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\tnsbjeov.sys (Rootkit.Agent.Z) -> Quarantined and deleted successfully.

Rebooted and ran Malwarebytes to confirm still clean. Then reinstalled SDAV, updated and ran a full scan with rootkit detection on and it found the usual benign stuff from legitiamte programs but otherwise clean as well.

Drivers for some of the networking were damaged and had to reinstall them. O/S appears somewhat unstable as well but she has a slew of stuff running on the box and only 512MB of RAM and I hate the Novell client that the schools all use.

System appears clean.

I think in retrospect killing off tnsbjeov.sys at the outset would have shortened the process and allowed the renamed MBAM, GMER or SOPHOS to do their work. I have a disk image of the original infected machine but due to the ability of this virus to jump from drive to drive I am reluctant to load it up on a virtual machine running on one of my production servers here.

I believe this system is now fixed. I would not have been able to find the right things to kill it without you making ALL the suggestions you did and helping me work through it. Thank you very much!

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:28 PM

Posted 06 April 2009 - 09:13 PM

You seem ready to set up a test box and join the frontliner's in this war. The MSRC is usually ineffective.

Quite a suite of rootkits tho
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users